On 8/15/2014 10:34 AM, Viktor Dukhovni wrote: > On Fri, Aug 15, 2014 at 08:54:18AM -0700, Dave Crocker wrote: >>> The opportunistic security design pattern involves stepping up from a >>> baseline security policy compatible with all relevant peers to the >>> most secure policy compatible with the capabilities of a given peer. > >> Actually, it involves stepping /down/. > > The draft is providing a *definition*. Definitions should be taken > at face value. This is not an empirical statement whose truth one > can debate, it is a definition. Viktor, I don't understand your response. In any event, my point was that the existing text is actually incorrect. Opportunistic patterns, here, concern permission to use /decremental/ protection. The premise is that weaker protection is better than none, when stronger protection is not usable. So it is not stepping "up". It is stepping "down". And, by the way, I still do not see any text in the draft that constitutes a 'definition', nevermind being labeled explicitly as such. >>> A related goal is broader adoption of protection against active >>> attacks, by enabling incremental deployment of authenticated >>> encryption. >> >> Although this sounds entirely reasonable, there is no explanation >> provided to make it credible. (n fact it is not at all clear to me that >> is /us/ credible...) How will use of an opportunistic pattern lea to >> broader adoption? > > By enabling deployment that is incremental and yet on by default. > With "all or nothing" security there is no way to allow the network > effect to help reach near-universal adoption. Deployment is already incremental, with respect to the way that term is usually used for Internet services. Some sites deploy strong protection. Some don't. The capability works amongst those that deploy it. It does not require others to deploy it before that utility is available. Incremental deployment is usually means that there is utility with smaller-scale deployment. In particular, it tends to mean there are few or no critical dependencies upon infrastructure. I believe what is meant here is something like: The deployment of less stringent protection is easier. Hence it is hoped that permitting less stringent protection will encourage wide adoption of at least some protection, with the incremental improvement to stronger protection over time. >>> Both opportunistically >>> employed encryption and opportunistically employed authentication >>> need to avoid deployment roadblocks and need to be designed with care >>> to "just work". >> >> I have no idea what the last sentence means. > > It means mechanisms that consistently work out of the box, no need > to tune explicitly for each peer or prompt the user when they > predictably fail a significant fraction of the time. 1. "Work out of the box" sound great; it's appealing language. But it has no obvious technical or operations meaning in this context. The reader has no basis for even guessing what the technical or operational details are that constituting 'working out of the box'. Even after extensive discussions here I don't know what it means, in technical or operational terms. 2. At the least, there is no 'box'. 3. More seriously, even unauthenticated encryption requires considerable effort in development, deployment and use. 4. The term "opportunistic authentication" is not defined or discussed in this draft, and frankly it has no obvious meaning to me, in spite of the lengthy discussion of opportunistic foo on the various ietf lists. I strongly urge dropping the term from this draft. >>> Opportunistic security does not start with an over-estimate of peer >>> capabilities only to settle for lesser protection when a peer fails >>> to deliver. Rather, opportunistic security sets a minimum protection >>> level expected of all peers, which is raised for peers that are >>> capable of more. >> >> This paragraph is not very helpful. The issue here has nothing to do >> with estimation. (Can a design pattern make an estimation?) > > An estimate is what one has, when one has not ye performed the > measurement. Perhaps a better word could be crafted here, suggestions? > I still think the original text is sufficient. Sorry, no. An estimate is what one can attempt has when one has /partial/ information and seeks to extrapolate/interpolate from it. An estimate based on zero information is merely fantasy. But again, design patterns do not make estimations. > The first sentence is what you're consistently not taking at face > value, the point needs to be made. I don't understand what you mean and the issue not not what I am "not taking at face value". I'm reading the text and attempting to understand it. In any event, really, the paragraph works far better without the first sentence. >> If authentication is required, we have classic authenticated encryption, >> not opportunistic <foo>. > > Again no, you're still reading what you would have said, rather > than what the draft actually says. Viktor, that is your second statement commenting on my behavior. Please stop commenting on what I am doing. And especially do not comment on my reading skills or performance. Otherwise I will have to return the favor, and even more people will choose to unsubscribe from the IETF list. > The draft actually defines a > way to do "opportunistically employ" authentication. And this is It does? Where? I've looked over every occurrence of "authentication" in the draft and have not seen any text that seems to "define a way to 'opportunistically employ' authentication". > important, and is the main point of departure from Steve Kent's > earlier draft. > > "Required of all peers" is not opportunistic. Required when advertised > By a given peer Your use of quotation mark implies that it refers to something that was said (my me?) If your comment is not merely a straw man, please point to the language you are responding to, because I can't find it. Further, it does not seem relevant to my comments. Hence I do not understand what the basis of your comment is. >> The 'opportunistic' construct is all about permitting lesser protection. Correct. It is not about requiring only one kind. As soon as only one kind is required, the activity is outside the scope of "opportunistic". It is not about 'permitting' none. As soon as there is no security, clearly it is not "opportunistic". My best guess is that the desire to have the term opportunistic include no security and/or strict requirement for specific security, is because there are scenarios that include opportunistic behaviors AND one or both of these others, in some situations. The discipline of a good specification is clarity about its scope of application. Including scenarios that are too strict or too permissive negates any utility in the term. >> If it isn't permitted, we are not in an opportunistic scenario. > > Again, that's not the *definition* in this draft. You might have > defined it that way, but this draft does not. The text that is definitional does not clearly include or exclude. Again, and more specifically, I still do not see text in the draft that constitutes a definition. I am pointing out a very basic and very important problem with having the term include activities that contradict the term. >> The term needs to be quite disciplined about what is excluded and what >> is included. As soon as the term is too broad, it is meaningless. > > No, not meanigless, just not the meaning some would have come up with. A term that is too broad is taken by different listeners as having different meanings. The core requirement for "communication" among humans -- and, by the way, computers -- is "shared meaning". It is a foundational point in work on human communication. As soon as people impart different meanings for the same term, communication ceases. Hence, "meaningless". >>> Enforcement of authentication is not incompatible with opportunistic >>> security. If an OS-enabled peer (A) makes available authenticated >>> key material, e.g., via DANE, to peer (B), then B should make use of >>> this material to authenticate A, if B is OS-enabled and supports >>> DANE. >> >> This is worded a bit differently than in the preview draft I saw, but I >> still have no idea what that sentence means. The language that follows >> is about preference, not enforcement. >> >> Ultimately I can't tell what the motivation for this sentence is. > > You're still not reading the definitions as stated. Sure I am. And thank you for being so helpful as to incorrectly claim otherwise. Or rather, what definition is that? I don't see a definition in the above. I see a discussion. And as I said I don't understand it. After multiple readings. I make a point of offering what I think might be meant, when I can make a guess. I can't do that here. >>> If authentication is only possible for some peers, then it is >>> acceptable to authenticate only those peers and not the rest. >> >> It is only sometimes acceptable. It is essential that the text here >> highlight that such a fallback needs to be the result of careful >> analysis and choice and not a casual default. > > There is no fallback from a suitably advertised capability to be > authenticated (e.g. via DANE). Similarly the TACK draft is a type > of opportunistically enabled authentication that is more of the > TOFU style. The text I am commenting on can be rephrased to have the same meaning, but say: "It is acceptable to permit no authentication for some peers." That constitutes a fallback from doing authentication. >>> Employ PFS: Opportunistic Security should employ Perfect Forward >>> Secrecy (PFS) to protect previously recorded encrypted >>> communication from decryption even after a compromise of long-term >>> keys. >> >> I'm told that PFS isn't really possible for asyncrhonous, object-based >> encryption, such as for email. > > PFS works for hop-by-hop SMTP, but yes, not likely for end-to-end > S/MIME or PGP. This could be qualified with "when possible" or > some such. Hop-by-hop is irrelevant to my comment. I was careful in what I stated. My understanding is that is is not achievable within any current technology, not merely "not likely". The difference is important. Referencing a goal that is beyond the state of the art isn't helpful here. >>> No misrepresentation of security: >>> >>> Unauthenticated encrypted communication must not be misrepresented as >>> communication over a secure channel. >> >> Oh boy. That sentence is far too compact and not obviouly correct. In >> fact it is arguably wrong. > > That's the -02 draft text you're responding to. Sorry. Right. Current text looks ok. >>> In summary, the opportunistic security design pattern encompasses >>> protocol designs that remove barriers to the widespread use of >>> encryption on the Internet. The actual protection provided by >>> opportunistic security depends on the advertised capabilities of the >>> communicating peers. Opportunistic security aims to encrypt all >>> network traffic, while allowing fallback to cleartext with peers that >>> do not appear to be encryption capable. >> >> Ran out of time. Haven't reviewed the remainder... Sorry, that sentence was left from my pre-release review. The remainder were/are comments I formulated today. >>> 5. Example: Opportunistic TLS in SMTP >>> >>> Many Message Transfer Agents (MTAs, [RFC5598]) support the STARTTLS >>> ([RFC3207]) ESMTP extension. MTAs acting as SMTP clients are >>> generally willing to send email without TLS (and therefore without >> >> Software does not have a 'will'. I think what is meant here is 'able'. > > Except that we're describing tolerated lower-bounds, not abilities. 1. You are describing how things are done or not done. You are not describing "bounds". I do not understand how the term "bounds" is in any way relevant here. 2. Again, software does not have 'will'. >>> Recent reports from a number of large providers suggest that the >>> majority of SMTP email transmission on the Internet is now encrypted, >>> and the trend is toward increasing adoption. >> >> This anecdotal comment isn't needed, isn't substantiated, and is going >> to be distracting when this document is read 20 years from now. I >> suggest removing it. > > The example is an anectote, a protocol case-study if you like, not > a specification. It is I think useful to highlight a success of > OS in this space. It is not reasonable for someone to be reading a technical specification -- which is what this document seeks to be -- and have to worry about when it was written and what was going on at the time. Otherwise they might read "recent" and think that the issue is current when, in fact, it is in the distant past. This document is not a discussion of current deployment statistics or the like. It is a document seeking to define a term and a design pattern. Keep the document's scope restricted to that. >>> Not only is the STARTTLS advertisement vulnerable to active attacks, >>> but also at present some MTAs that advertise STARTTLS exhibit various >>> interoperability problems in their implementations. As a result, it >> >> Again, the ephemeral frame of refernce won't be helpful. >> >> So: >> >> but also an MTA that advertises STARTTLS can produce various >> interoperability problems in its implementation. As a result, it might >> choose to fall back to cleartext... > > Except that the wisdom of the cleartext retry is rooted in the > operational status-quo. When the interoperability issues with > clunky old MTAs fade away, the engineering trade-off will be > different. The 'status quo' substantiates the legitimacy of the concern but is otherwise irrelevant. Establishing the credibility of this concern, here, isn't that important. As for interoperability issues fading away, ummm, right. We have such a good track record of that happening, I'm sure we can look forward to it here. >>> 6. Security Considerations >>> >>> Though opportunistic security potentially supports transmission in >>> cleartext, unauthenticated encryption, or other cryptographic >>> protection levels short of the strongest potentially applicable, the >>> effective security for peers is not reduced. If a cryptographic >>> capability is neither required by policy nor supported by the peer, >>> nothing is lost by going without. Opportunistic security is strictly >>> stronger than the alternative of providing no security services when >>> maximal security is not applicable. >> >> I'll repeat that counting "cleartext" as part of an opportunistic >> pattern is a strategic error. In simple terms, it is saying that no >> security is part of security. > > Yes, in order to make security usable, we tolerate no security as > a baseline where required. That statement is a non-sequitor. Security is not made 'usable' by tolerating no security. It is made non-security. It's important that the language here not make silly statements. Stating that cleartext is security is silly. >> The issue is not that cleartext is bad or that permitting it might not >> be ok. It's that it needs to be outside of the scope of an >> opportunistic pattern. > > Disagree. Otherwise we get into "fallback" and all that, but OS No, what we get into is scope. "No security" is outside the scope of opportunistic. Mandatory, specific security is outside the scope of opportunistic, since the essence of opportunistic is flexibility. If you have no security or you require only specific security, there is nothing 'opportunistic' about what is being done. > is about attempting to get more than minimum (possibly none) > security. Not about settling for less. As defined! Not empirical > fact to debate. You could argue for a different definition, but > it should be clear that you'd prefer a different formulation, not > that the current one is "wrong". > >>> Opportunistic security coexists with and is preempted by any >>> applicable non-opportunistic security policy. However, such non- >> >> This first sentence makes no real sense to me or worse is confusing. It >> does not "coexist". If it is preempted, it is at best subordinated. > > Well, coexists and is subordinate to. But that is clearly evident from > the text... Clearly it is not. On 8/15/2014 12:11 PM, Viktor Dukhovni wrote:> On Fri, Aug 15, 2014 at 03:01:59PM -0400, Paul Wouters wrote: > >> Background Encryption ? >> Preemptive Encryption ? >> Preventive Encryption ? >> Preventative Encryption ? >> Countermeassure Encryption ? >> Remedial Encryption ? > > This boat has sailed: > > TLS -> TLE: Transport Layer Encryption? > IPsec -> IPenc: IP encryption? > SSH -> ESH: Encrypted SHell? > HTTPS -> HTTPE: HTTP over TLE? > ... > > Let's talk about the substance of the draft. That you think choosing confusing terminology is not substantive is a problem. That you ignore the confusion caused by prior uses of that term is a substantive problem. Making a poor choice in the past is not a very good justification for repeating the error. And, by the way, TLS, et al, really were developed with the intent of a range of different security uses. So the 'error' then was much less of an error. By contrast, the discussion in your draft is only and specifically about encryption. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net