TIGRESS @IETF 118 Prague, Nov 8 1200-1300 UTC

Security Channel Presentation - Ekr


Q by Yogesh : Second factor comes after the fact. Slide 8 shows that the
exchange is blocked which is not accurate.

Note by Leif: Questions after the presentation. Clarifying questions are

Slide 10 talks about the 2 options available.
* Assume the introduction channel is secure and move forward
* Assume introduction channel is insecure and flesh out its security

Q by Tommy Pauly : 2 questions : First one, I have been chatting with
Dmitry/Yogesh, I want to clarify that there is an assumption that a
single person can get the credentials. Is there a way in the new
protocol to not allow the attacker to win the race multiple times?

Ekr: Fix is easy.

Tommy Pauly: Maybe add a state, cookie.
Next question, related to second factor. It feels like overall the
second factor idea is to use the second factor channel as bootstrapping
channel. I use SMS and email, it makes it less likely for attacker to be
looking at both of them. Have the protocol define a way to split up the

Ekr: second factor channel is somewhat limited. The most plausible
option is where I call you on phone and give you the second factor.
Let's flesh out the second factor. Pin is low entropy....the problem is

Dmitry: I probably can clarify somethings here. If we indeed have a
perfectly secure channel, we can pass the provisioning info. But when we
originally thought of this channel, balance of security and usability
was kept in mind. Risk can be mitigated by separating the intoduction
secret plus second factor. Pin retries will be limited.

Yogesh: Agree with Ekr about we do trust the channel. We also understand
that it is potentially insecure. We need to understand it from the
perspective of vertical people like car makers. We don't want to prevent
people from using the channel that they already use all the time. Also,
we have to encourage people to really use the second factor.

Christopher Wood: Q about the assumed use case, is there anything like
latency or performance req for this protocol?
yogesh: It's fine to use 10 round trips. No notion of instantaneous.
Chris: Option 1 seems to be clear candidate to start with. (Assume the
channel to be secure.) This will simplify the design and solve the
simple problem first.

Leif: Should we move the entire introduction channel out of scope or
just the security properties of the the channel?

Chris: Assumptions need to be in scope.

Ekr: Common ground, charter text talk about establishing the secure

Eric Kinnear: Bootstrapping of this channel is something I would like to
use but I understand if we can't because of scope. Would prefer option

Simon from Mozilla : Favor of option 2: assume introduction channel is

Tommy Pauly: I like approach of Option 1-assume intro channel is secure.
If we are splitting the scope here, what is out of scope is what is the
content of this credential body. When we are defining a cred that needs
to be tansferred, can we say that the vertical can require to have a
second factor.

Yogesh: Even if we go with option 1, its not necessarily true all the
time. I do want to put a second factor knob on.

Tommy: Assume that the introduction channel is secure enough to
understand what the credential is. Split up the problem differently.Make
the presence of second factor orthogonal.

Yogesh: Th idea that using a pin everytime is an option. Currently this
is under users control. (More details by Yogesh)

Dean Saxe from Amazon: We are maybe not looking at prior art from this
space. UMA2 can be used to delegate authority within a range of time for
some purposes.See what prior art exists and use the best practices that
we have today for second factor.



Dmitry: Credential exchange and credential activation are separate.<>

Leif: Most wallet include channel bindings and it is orthogonal. It's a
little dangerous for TIGRESS to produce a separate doc on channel

Ekr: Do we believe that the info in intro channel is secure enough? If
that's true, we are good to go.

Aaron Parecki: I hear a different use everytime. I am concerned that we
are so narrowly scoped on this channel that we are ignoring other work
being done by IETF. I haven't heard that whether this is a delegation
problem or copying problem? key is different or same ?

Ekr: Broad array of existing verticals. Purpose is to facilitate the
content of a credential.
(To be filled in with recording)

Aaron: This feels to me that we are doing a lot of reinevnting of a
channel that really already exists.

Dmitry: It's a delegation problem. In some cases an exact copy of the
key can be passed.

Yogesh: Credential could be a copy or delegation. It is an opaque blob
for this channel.

Option 1: Assume that the Introduction Channel is secure and move
forward to protocol selection.
Yes-8 , No-8, No Opinion-27

Option2 : Assume that the Introduction Channel is insecure and ask what
the properties of the “second factor” are.
Yes-0, No-17, No Opinion-26

Option 3: Both, orthogonally
Yes-12, No-4, No Opinion-28

Option 4: We need to rethink
Yes-10, No-5, No Opinion-29