[Ndn-interest] NDN protocol principles: no privacy?

Burke, Jeff jburke at remap.ucla.edu
Tue Mar 15 09:44:51 PDT 2016 




Hi Mark,


From: Mark Stapp <mjs at cisco.com>
Date: Monday, March 14, 2016 at 9:25 AM

>Hi Jeff,
>
>On 3/14/16 11:02 AM, Burke, Jeff wrote:
>>
>[...]
>>> that is a statement I've heard repeated, but the deeds don't align with
>>> the words. NDN has encouraged the use of long-lived public/private key
>>> pairs, and that makes individuals highly observable, and vulnerable in
>>> the case of key compromise. I don't know whether NSF noticed, but ...
>>> you can't do your banking with this stuff yet - and it's been years. and
>>> since the folks in charge flat-out reject DH negotiation, it's a little
>>> hard to see how they're going to come up with any forward-secure
>>> approach. just exactly what privacy-by-design feature are you referring to?
>>
>>
>> Mark,
>>
>> Where are you getting this impression of a lack of interest in
>security? Six of the last ten NDN tech reports deal with
>security-related topics, several of the techniques could be extended to
>use ephemeral keys, and a few have discussions of forward secrecy.
>>
>
>so ... I was referring specifically to privacy, not "security" in 
>general. having "discussions" about forward-security is not equivalent 
>to implementing and mandating it? 

Of course.  I didn't really mean to conflate these or suggest that discussing them is the same as requiring them.  Probably in a little haste I was responding to previous more general comments about security in other contexts - the point being that these things are being considered. 

>as long as user activity can be 
>correlated readily, there's an exposure that seems to me to be 
>undesireable - and it's unnecessary, given the technology that exists. 
>the initial point I was trying to make was that it felt (to me) that 
>there was a gap in the list of six because there was no mention of 
>private communication. as I said in an earlier email, even having a 
>broad statement would seem to be desireable.

I tend to agree with Luca that I'm not sure this would be a principle in the same sense as the others.  BUT, I am also really interested in what might be "application-level" concepts or conventions that would be just as valuable.  So, to me, whether or not it is in the design principle list doesn't exclude it from discussion or showing up in some other list. 

>
>[...]
>
>>
>>
>> Can you give an example or two of what such a satisfactory privacy
>principle might look like? (Perhaps there is disagreement about whether
>this is a principle for the architecture or applications, but
>articulating it seems valuable. We've certainly set it up as a goal for
>some of the current applications proposed for the current NSF work.)
>>
>
>sure, that'd be fun:
>
>NDN communication should use, by default, best-practice cryptographic 
>methods to ensure privacy and confidentiality. unlike IP communication, 
>where privacy is implemented by add-on libraries and has to be 
>"programmed in" by each application implementation, NDN will encourage 
>use of ephemerally-keyed, forward-secure protection for all 
>communication by making negotiation of ephemeral key material a 
>fundamental building-block of the architecture.
>
>or,
>
>The NDN architecture shares the view of the IP community that passive 
>and pervasive observation represents an attack on individuals' 
>communication. NDN communication will meet or exceed the evolving 
>best-practices for privacy, confidentiality, and authentication used in 
>IP networking. As the internet security community advances its 
>understanding of the vulnerabilities affecting internet communication, 
>NDN will move in parallel to assess vulnerabilites and maintain parity 
>with the IP technologies.


These really help to understand your perspective - thanks. I will discuss them with the NDN folks.   Others may see them as application guidelines vs. architectural goals or principles, but the discussion is useful, I think. 

Some thoughts/questions off of the top of my head:

- I'm not sure about the notion of a "default".  It seems like it inevitably would devolve to discussion of how often one case versus another occurs, or the social cost of one case vs. the other, to determine what the default should be.  I like the second articulation better for that reason, as a goal if not a principle, because it avoids both the language of "defaults" and specific mechanisms. 

- In the first articulation, can ephemeral be made more specific?  How long should a key be used? 

- In your principle, would you object to using only the term confidentiality over privacy?  Seems like this would make it sharper.  If you would object, what does privacy cover that confidentiality doesn't, that can be achieved within a network architecture? 

- Is it possible to articulate confidentiality (or privacy) of what from whom in such a goal/principle?  My primary concern here is that current "best practice" includes some real limitations and assumptions (e.g., that once the bits hit the edge of the remote service, things are safe). 

Just riffing on the above two points - I don't find  that confidential communication with Facebook to actually do much for my personal privacy. I do want it to be confidential, but considering just the channel between my browser and the service is a red herring relative to bigger issues of privacy and data ownership. 
 In fact, I would prefer that my postings are confidential from Facebook itself but not my "friends" in their social network - this is not really the current model of session-based security. I suspect that NDN can do better at that, revenue model of the service notwithstanding. (Here, I would like a goal or principles that goes beyond privacy and has to do with data ownership and control, which drives alternative service designs and reflects other rights, not just privacy.)


Jeff



>
>> I think we were going to present contrasting ideas on all of this
>(privacy at least) at the upcoming ICNRG meeting. Is that still the
>plan? (I think Dirk mentioned you wouldn't be there but perhaps someone
>else would present?)
>>
>> Jeff
>>
>>
>
>I haven't looked at the agenda, but I'm certainly interested in the 
>topic. I won't be there in person, but I've been having some 
>conversations with Chris Wood, and I think he is planning to offer some 
>slides.
>
>Thanks,
>Mark

More information about the Ndn-interest mailing list