[apologies for double posting] Please attend this side meeting at IETF 85 if you are interested.
Vincent Roca was kind enough to do the first extensive review of the discussion I-D for that event. Reaction inline below. On Tuesday, November 6, 2012, Vincent Roca wrote: > Hello, > I've read your I-D (extremely interesting) and have a few comments: > 1- The attacker model of the 20sec and kill-switch scenarios > We assume "the adversary cannot compromise smartphones or other > participating devices". > It looks rather strange to me. This is indeed strange and only meant as a simplistic starting scenario. Personally I'd rather state the opposite: > the threat model must be that of a powerful attacker (as in the 3rd > scenario). > Indeed, a device owners can be arrested and obliged to unlock its > device... He may also be obliged to move around and to collect more > information on others, using a modified device. > > Is it motivated by the desire to have some progression in the threat model > in the document? If that's the case, then I understand, but state it > clearly. Indeed, the idea as to have progression in the threat model. In the next version I will try to make that clearer. Or if you think that is not a good idea, it can be changed. 2- The 20sec scenario and the list of peers > Is it recommended to have such a list with possibly thousands > peers in this scenario when a device might be compromised > (previous comment)? Is it the reason why the threat model makes > the opposite assumption? Again done for simplicity. 3- The 20sec scenario: clarification > > I understand the wired Internet is here, and usable, even if > many links/servers/services are compromized. Am I correct? > Because if it's not the case, then how would it be possible to > broadcast a message to 20 million devices in 20sec using > bluetooth and wifi networks only? 20 millions is a lot and having > a meshed network large enough to reach them all using small > range wireless techniques seems rather challenging ;-) Yes, thank you for spotting this. It implicitly assumes wired Internet and usable connections. Will clarify this. > 4- AThe friend-to-friend scenario > What does the following bullet mean? > o The adversary can choose the data written to the microblogging > layer by higher protocol layers. > (I confess I didn't read [BRIAR] where it's certainly explained) Another clarification needed.. The idea is that the attacker can do a chosen plain text attack. > 5- Concerning Tor... > I agree, it's not the panacea for this use-case. In addition to > what you're saying, we can add that it can make the situation > worse. My colleagues have a paper on this topic: > S. Leblond, A. Chaabane, P. Manils, M.A. Kaafar, C. Castelluccia, A. > Legout, W. Dabbous, > "One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and > Profile Tor Users", > USENIX Workshop on Large Scale Exploits and Emergent Threats (LEET'11), > April 2011. > http://arxiv.org/abs/1103.1518 Interesting work! Will use this in next version. Never knew that your listen port number is actually privacy leakage in a DHT. I'll be at the side-meeting. Looking forward to it. -j Cheers, > Vincent
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
