ietf
[Top] [All Lists]

Re: Agenda, security, and monitoring

2014-02-03 03:44:41


--On Sunday, February 02, 2014 18:44 -0600 Pete Resnick
<presnick(_at_)qti(_dot_)qualcomm(_dot_)com> wrote:

The problem with PGP and S/MIME is that they require
authentication in order to start using encryption, and since
authentication is both irrelevant to this *and* a pain to do,
I don't think it's likely that mechanisms that require
authentication to get started are good candidates to address
PM, let alone be a terribly good demonstration that we can do
encryption.

Pete,

Perhaps I'm missing something, but it seems to me that, if one
is willing to rely sufficiently on the email system to say "this
will get to the intended person (or at least mailbox), and, if
it does, the person who opens it will either have the relevant
key to be able to read it or not and, if they don't that is ok",
then all that is needed is a self-signed key (or self-signed
X.509 cert).  That is basically "key but no authentication".
Put differently, we _always_ rely on authentication -- if I send
mail to "presnick(_at_)qti(_dot_)qualcomm(_dot_)com", I'm making a whole series
of assumptions that it is you, that such mail will reach you and
only trust-able others, and so on.  Those assumptions are fairly
weak and certainly don't involve independent certification, but
that is about the strength and quality of the authentication,
not whether authentication is assumed or not.

Put differently, unless my 30 second approximation to a threat
analysis missed something, it provides about the same level of
authentication as "I can buy a domain name without showing any
identity evidence other than the ability to make payment, I can
get a certificate issued on the basis of being able to set a
mailbox and appropriate DNS records to receive mail at that
domain and/or can publish keys as part of that domain record".
Like those [other] domain-based approaches, it is going to be
pretty good in practice unless an attacker has the ability to
either subvert a registrar [1] or, perhaps, to intercept and
divert (or copy) traffic en route [2].

Again, with either PGP or S/MIME (and X.509) with a self-signed
cert or key, authentication is not needed to start using
encryption, only a (perhaps implicit) belief on the part of the
sender that, if the recipient can advertise a public key, it
probably has the private one and that the key-advertiser is not
the proverbial entity-in-the-middle.

Of course, those of us who prefer a somewhat higher degree
(and/or out of band) of assurance than the entity we are
communicating with is the intended one will need authentication
and authentication strong enough to be convincing for our
purposes.  That is, as you suggest, a separate issue and more of
a pain.  It may be inconsistent with legitimate anonymity.  For
those who want it, bringing people together for key signing may
be helpful.  It may be especially helpful for anyone who
believes that "appears to be human, has a face, registered for
IETF, and can find the room in which a key-signing is to occur"
[3] is a better minimal credential than "was able to obtain a
domain name" [4].
 
best,
   john

  -----------------

Snarky notes:

[1] While there are clearly exceptions, there is considerable
evidence that "Honest and Careful Registrar" is an oxymoron and
even that a complete lack of scruples, or at least aggressive
and deliberate ignorance about registrant credentials, are
encouraged by ICANN policies.  If that be the case, then
authentication methods that ultimately depend on the
identity-quality of domain "purchase" and registration are
effective only to the extent to which an attacker is lacking in
motivation... unless one knows the domain of the relevant
individual and server with some independent certainty (that
notion of independent authentication again) and that the FQDN
string is spoof-proof.

[2] Of course, if the attacker cannot, or isn't willing to
invest the resources to, intercept and capture or divert an
in-transit data stream (or fake DNS records) then I don't quite
understand the threat model that unauthenticated (or very low
quality authentication) encryption protects against.

[3] If someone shows up at a key signing whom I've never seen
before and hands around a passport that says "Republic of Lower
Slobbovia" on the cover and has a picture and name inside,
whether a potential signer knows more about that individual's
identity than "appears to be human, etc.".  Few of us have ever
seen a Lower Slobbovian passport much less know how to
authenticate one.  So, again, authentication and quality of
credentials covers a broad spectrum.  The question isn't
"authentication or no authentication", it is what sort of
credentials are good enough for an intended purpose (and in
context with other methods).

[4] Note too that any sort of credential that draws on the DNS
for authenticity or key integrity and binding works a lot better
for domain-per-individual or domain-per-activity than it does
for domain-per-group-or-enterprise because, to some extent, such
methods depend on one's trusting everyone who is either a
legitimate user of the domain or who can compromise it.