'Re: [saag] (on need for I-D on apparent complexity and expense in mutual authentication) Re: Fwd: La'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-saag
Subject:    Re: [saag] (on need for I-D on apparent complexity and expense in mutual authentication) Re: Fwd: La
From:       ianG <iang () iang ! org>
Date:       2014-07-12 11:38:49
Message-ID: 53C11E49.7090003 () iang ! org
[Download RAW message or body]

On 11/07/2014 14:49 pm, Rene Struik wrote:

>> Some of our security (and other) technologies were designed
>> 15 or so years back mostly considering enterprise networks with
>> say 10^6 or fewer things involved and where there were folks
>> whose day job was to mind every part of that network. A lot of
>> reasonable assumptions in that context no longer really apply.
> RS>>
> It would help to specify and enumerate the reasonable assumptions at
> that time and why those "no longer really apply".

The clue I see is 'enterprise'.  Many people working in the 1990s were
employed by corporations (people needed to eat, right?).  The
corporations could afford the costs of authentication systems, and some
of those corporations were the costs of the authentication systems.
There was a bias towards authentication as commercially viable business
model.

Fast forward to now, and the cost of these authentication systems has
delivered a rather mixed result.  Yes, it worked in the direct case, but
there are many side-effects, and poor deployment.  A lot of the failures
trace back to the cost-of-authentication assumptions.

So, the OS strategy has it that we make authentication free.  By not
doing it, if necessary, and by making it available if we can.

...
> Again, it would help to describe why this assumption held up, but now
> apparently (your argument) does not any more.

Look at HTTPS.  A huge part of the problem with phishing is that the web
isn't fully encrypted and authenticated.  When it was first envisaged,
it was hoped that everything would be covered for any retail site, and
therefore we could lean more heavily on certificates.

But when first deployed (1995?) the cost of encryption was too high, so
the retail websites split into credit card accepting on HTTPS, and the
rest on HTTP.  Fast forward to 2003 and the expected phishing attacks
simply launched copy sites in HTTP.  Nobody could tell the difference,
and the browsers couldn't help.

The real solution here is to get everything onto HTTPS, the same system.
 Once that is done, browsers can more heavily concentrate on the
reliance of the name, because it is more often there.

Assumptions that have changed:  cost of encryption.  Need for full
authentication.  Discovery of pervasive monitoring.  Need to serve
business foremost.

> RS>>
> If OS has more global revolutionary aspirations, it would be good to
> describe this somewhere. I got the impression that opportunistic
> encryption was more about administrator-less security. If wrong and this
> is about raising the security bar while at the same time improving ease
> of use and ease of deployability, that would be good to codify.

Yes, it's both, causally.  To improve security, we want to make it
administrator-free.

iang

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
[prev in list] [next in list] [prev in thread] [next in thread] 