Re: Re: [Nea] privacy: exposing information to owner

["Sean Convery" <sconvery at gmail.com>]

Hi Keith,

On 11/16/06, Keith Moore <moore at cs.utk.edu> wrote:
> I don't see any reason why IETF should endorse a protocol that (a)
> allows network providers to conduct arbitrarily surveillance of hosts
> and (b) trusts network providers to be honest about what kinds of
> surveillance users are being subjected to.   That's completely insecure.

I agree with your privacy concerns and your point that managed assets
of an organization will connect to networks that aren't managed by the
organization. This means we can't just assume a company X asset will
only connect to a company X network.

As you know, there are a host of techniques on the Internet today
which farm information from unsuspecting users and you are right to
point out that NEA is potentially a new one. Pop-ups to authorize such
queries are certainly not ideal by themselves. I am concerned that
users will tend to just click "yes" much like they do today when
connecting to a web site with an invalid certificate. However, I
fundamentally believe in the benefit NEA provides to organizations.

When I think of your objections while reading through this long
thread, I'm reminded of Bill Joy's essay "Why the Future Doesn't Need
Us." In it, he says, "The only realistic alternative I see is
relinquishment: to limit development of the technologies that are too
dangerous, by limiting our pursuit of certain kinds of knowledge."

This is an ultimately unsatisfying conclusion and Joy himself admits
as much towards the end of the essay when he writes "I'm trying to
imagine some better answers..."

What NEA is dealing with is nowhere near the magnitude of
self-replicating nano-machines and the other things Joy was concerned
with but that doesn't mean we should dismiss NEA's privacy concerns.
For me the question should be, "How do we sufficiently protect the
organization and end user from disclosing information that would be
harmful to them?"

I'm unwilling to cede NEA because we think a user prompt will simply
be bypassed. We're smart folks, I'm sure we can think of something.
Bringing this around to the requirements, I think Khaja's amendment to
your requirement seems reasonable: (NEA MUST NOT expose information
about a host to any party other than the owner of that host or to
parties authorized by the owner.)

Ensuring that the user and owner are sufficiently aware of the risk in
disclosure seems to fall into the realm of implementation. This sounds
very much like the work Kim Cameron and co. are doing with infocards
by providing ways for users to choose the profile of identity
information they are willing to provide. Can you think of a better way
to represent this requirement which still allows hosts to connect to
multiple networks?

What is happening in the marketplace today in the absence of standards
is downloadable ActiveX controls are being embedded within captive
portals at network login. In order to connect to a network you have to
agree to install this applet which scans your system for compliance.
In this situation you have no controls over what information is
provided. This is clearly bad. Standards would at least give the user
control over the client element and could configure it to disclose
only what they wanted to.

One option down the road is federation. Imagine a company X asset
connects to a company X network and gets a normal scan done: nothing
which violates your original requirement. Then at the end the asset is
provided with a certificate signed by company X stating that the
machine is running the latest patch, latest AV file, etc, whatever
company X is comfortable providing within the certificate. Then when
that asset connects to company Y's network it is authorized to present
the certificate only (which might not even list the specific AV
vendor, just that it is current). No additional information can be
sent regardless of what the user is willing to consent to. Then if X
and Y trust each other's assessments they are done.

I realize this isn't ideal, but it tries to address your concern
around novice users. I'm sure there are other ideas out there.

Thanks,

Sean

Off topic: If there are folks on the list who haven't read Bill Joy's
essay it was in Wired 8.04 and I highly recommend it:
http://www.wired.com/wired/archive/8.04/joy.html

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea