ietf-openproxy
[Top] [All Lists]

RE: OPES and content path security

2002-03-12 11:14:43

hi,

please see comments inline

abbie

-----Original Message-----
From: The Purple Streak (Hilarie Orman) 
[mailto:ho(_at_)alum(_dot_)mit(_dot_)edu]
Sent: Monday, March 11, 2002 3:16 PM
To: ietf-openproxy(_at_)imc(_dot_)org
Cc: mankin(_at_)easti(_dot_)isi(_dot_)edu
Subject: OPES and content path security



Listed below are the relevant excerpts from the IAB RFC 3238 on OPES
considerations on the subject of encryption.  I'd like to solicit
comments on these topics.  I think it would help to begin with a
simple security model.

 SNIP SNIP

The trust becomes more complicated if the parties can delegate
their rights.  I think that the IAB considerations are assuming
that the initial parties can delegate some aspects of their
data privacy to third parties, as in the case of a publisher 
delegating
privacy to a content delivery service, but it also considers further
delegation of privacy along the delivery path.  The mechanism for
this is "hop-by-hop" or "link" encryption.  I believe that RFC3238
means to say that link encryption is "compatible" with end-to-end
encryption if all IP-address-terminated links use encryption
and there is a well-founded delegation path for each link.  This
introduces the intermediaries as new parties to the security model.
These intermediaries may be trusted for some functions, but not
others.  True end-to-end encryption should be used by the primary
parties for data for which intermediaries are not trusted; some
intermediaries may impose this themselves.

here we need to be very carefull, how do you know which services are trusted
and which ones are not?? How do you signal that, and how do you verify ??

We may want to extend the notion above to encompass callout
servers, but I'm not sure.


I think we should, a callout service basically changes the operations on the
contnet path, so it is part of the path and same rules should apply.


A topic for discussion, I believe, is whether or not "transparent"
delegation is allowed, and if not, how fine-grained should the
delegation policy be, i.e., should each primary party be aware of all
delegations, should one party be aware, should each party require
explicit approval for all delegations, etc.

I do not think that transparent delgation should be allowed.  This also
include callout servers.


abbie
 
<Prev in Thread] Current Thread [Next in Thread>