Re: Gen-ART review of draft-dukhovni-opportunistic-security-01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 10, 2014 at 05:16:15PM -0700, Martin Thomson wrote:

> Major issues:
> 
> This misses one of the key principles behind opportunistic security:

Strongly disagree.  Opportunistic security does not always downgrade
to unauthenticated or unencrypted communication.  For example, with
opportunistic use of DANE TLS, authentication is enforced for peers
with usable TLSA records, while communication with other peers is
unauthenticated or perhaps even unencrypted.

So in fact, this draft specifically, and deliberately leaves the
door open for MiTM-resistant authentication of peers for which some
suitable mechanism (DANE, TOFU, ...) makes authentication possible.

> Insistence on failure, as opposed to downgrade or some lesser level
> of security - a characteristic of non-opportunistic security - elicits
> responses from users to work around the problem (accept the bad
> certificate, suppress certificate checking, etc...).

For MTA-to-MTA SMTP there is no user to click OK.  Not all applications
are web browsers.

> The willingness
> of an opportunistic security implementation to accept unvalidated
> credentials means that it still benefits from resilience against
> passive attack.  This is only really noted through an example of a
> "design blunder".

Opportunistic security is NOT a synonym for unauthenticated
encryption.

> The document skirts around it's key goal: defining OS.  Section 2
> needs to start with a definition. The paragraph that follows the list
> in S2 is a reasonable attempt at that and could be tweaked fairly
> perform that function.

The definition is a summary of the design principles.  We're defining
an umbrella term for a family of protocols sharing a design
philosophy.  It is helpful to set out the design principles first, and
then state that OS protocols are those that adhere the design principles,
and amplify the key points.

> The Security Considerations is a response to an unstated argument, but
> I think that the document needs to be clearer about what that argument
> is, i.e.:
> 
> The willingness of an OS implementation to downgrade can be
> trivially exploited by an active attacker to strip an opportunistic
> mechanisms.

The Security Considerations section says that some protection is
strictly better than no protection.  Thus it is often OK to accept
some protection, even if some risks are left unmitigated.

> Section 3 is unnecessary in its entirety:

No terminology section required?  It is a subset of the Terminology
from Steve Kent's draft.  If it is felt that all the requisite terms
are adequately defined in-line, I am not opposed to its removal, for
this draft less bloat is better.  It should be a succint definition.

>   1. 2119 language isn't really appropriate for this document.  Many
> of the statements that rely on this would be much better without that
> language.  Some of the uses are actually completely inappropriate:
> "When possible, opportunistic security SHOULD provide stronger
> security on a peer-by-peer basis."

I can downcase the "SHOULD", what is the objection to 2119?

>   2. I think that the description of "unauthenticated encryption" and
> "TOFU" belong in the text proper.  TOFU is covered well enough by the
> text in S1; unauthenticated encryption needs to be covered in the
> description as a first class section, rather than piecemeal (see
> above).  MitM and PFS are defined in RFC4949.

Anyone care to suggest new language?  Is there agreement that the
proposed changes are needed?

-- 
	Viktor.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]