Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
Hi Denis, You appear to have perceived events and statements different from how others' have perceived these. I don't find this thread accusing Juliusz of bad behavior to be an appropriate way of addressing your perceptions. As chair of homenet (your email was sent to homenet and babel), I would appreciate an opportunity to talk to you directly (by phone / VoIP) to try to better address your perceptions. I find trying to do this by email very challenging. If others share Denis' perceptions, please let the chairs know. Thx, Barbara > -Original Message- > From: homenet On Behalf Of Denis Ovsienko > Sent: Friday, June 29, 2018 12:29 PM > To: "Babel at IETF" ; "homenet" > Subject: Re: [homenet] [babel] about Babel security (questions for Juliusz > Chroboczek) > > Thank you for a prompt response Juliusz. > > Right now I will comment only on one specific point, more follow-ups later. > > On Fri, 29 Jun 2018 10:53:03 +0100 Juliusz Chroboczek > wrote > [...] > > The specification of "Stenberg-style security" for Babel was > never > > published. It is June 2018 and I have never seen it, although I > asked > > to. > > > > It was presented at IETF 101 in March 2018 (at which you were present). > > I confirm I attended IETF-101 in person and listened to Antonin's talk and > slides about DTLS for Babel. I did not see a written specification. At the > meeting I did bring up the need to see a written spec. > > So in this case "presented" does not go as far as "published". > > > The draft lives here: > > > > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__github.com_jech_babel-2Ddrafts_tree_master_draft-2Ddecimo- > 2Dbabel-2Ddtls&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC- > 8sc8SY8Tq4vrfog&m=Y3Hx49JV7xQXqwscUPkJtZiOFJkWg8DMoMcJq7RLJ7A& > s=kEGB_5PgC8bf4Eby4oWRpm9ncUbR1a7KmmuTccFv9qo&e= > > Thank you for making this update, I am glad a written specification of Babel > DTLS now exists (i.e. has been published). I have been asking since early > 2016. > > > I am not an author. Please ask the authors, not me, about why it hasn't > > been published yet. > > As far as the commit history goes, the file was first added to the repository > above on 25 June 2018 (four days ago), then it was updated three times on > 27 June 2018 and two times on 29 June 2018 (today, last time about three > hours ago). The file is a 325 lines long .xml file, which yields a .txt file, > which is > 8 pages long, 4 of which are boilerplates, the TOC, references and the likes. > The other 4 pages are the actual specification. The document lists 3 authors. > > I have studied the document and I find it difficult to discuss right now, to > be > honest. > > -- > Denis Ovsienko > > > ___ > homenet mailing list > homenet@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_mailman_listinfo_homenet&d=DwICAg&c=LFYZ- > o9_HUMeMTSQicvjIg&r=LoGzhC- > 8sc8SY8Tq4vrfog&m=Y3Hx49JV7xQXqwscUPkJtZiOFJkWg8DMoMcJq7RLJ7A& > s=ZSAkpu4dIvdCqrdMUXoOu4QqeagnuF1ji4pt99IPz2U&e= ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
>> The draft lives here: >> >> https://github.com/jech/babel-drafts/tree/master/draft-decimo-babel-dtls > As far as the commit history goes, the file was first added to the > repository above on 25 June 2018 (four days ago), then it was updated > three times on 27 June 2018 and two times on 29 June 2018 (today, last > time about three hours ago). This is partly my fault. Antonin is a full-time student, and I have been recommending that he follow his classes and pass his exams in priority to doing IETF work. I stand by this advice, and remain convinced that this was the right thing to do. > I have studied the document and I find it difficult to discuss right > now, to be honest. Please let us know what it is that you didn't understand. -- Juliusz ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
On Fri, 29 Jun 2018 17:46:35 +0100 STARK, BARBARA H wrote > Hi Denis, Hello Barbara. I hope you are well. > You appear to have perceived events and statements different from how > others' have perceived these. I agree there is some difference. I do not agree this automatically infers I am doing a wrong thing by trying to work through this difference. My goal is to clarify this situation for myself and other participants. > I don't find this thread accusing Juliusz of bad behavior to be an > appropriate way of addressing your perceptions. I am sorry to object, but I am doing my best not to accuse Juliusz, as much as is reasonably practicable, in the course of this discussion of facts and problems. If I may suggest, you might see it better after reading my messages with more attention. I agree some of those facts and problems are not really enjoyable to discuss. As just one example, the Babel DTLS specification is a 4 days old publicly available document and a few hours old Internet-Draft. It consists of 8 pages, including 4 pages of technical prose. The Babel HMAC specification that is not 7298bis (feel free to suggest a better term) is a few hours old, smaller, publicly available document and isn't an Internet-Draft yet as this is being written. It says "draft-ietf-babel-rfc7298bis" at the top (sic!). Those are facts. I have spared the participants of how I [subjectively] perceive those facts. You are welcome to verify the facts if you want. I emphasize the facts are not my perceptions. I am willing to listen if you tell me specifically what you find wrong. > As chair of homenet (your email was sent to homenet and babel), I would > appreciate an opportunity to talk to you directly (by phone / VoIP) to try > to better address your perceptions. I find trying to do this by email very > challenging. Your statement is correct, in that I had intentionally cross-posted to both mailing lists. This is because Babel security is meaningful for Homenet (I have been a reader of the Homenet mailing list for some time). I understand you are expecting a direct e-mail conversation with me to be difficult. I accept you may have reasons for this, but it seems to me you had not tried to reach me before, so it would not be right to put the blame on me. I am not putting the blame on you either. >From my own practical experience, e-mail works much better than phone: I can >take the time to think and to read my messages before sending to make sure >they say what was intended. If you insist anyway, we can have a voice/video >call, but if I see this causing even more misunderstanding to pile up, I will >have to switch back to e-mail. Hopefully that is workable enough for you. Have a nice day. > If others share Denis' perceptions, please let the chairs know. -- Denis Ovsienko ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
Thank you for a prompt response Juliusz. Right now I will comment only on one specific point, more follow-ups later. On Fri, 29 Jun 2018 10:53:03 +0100 Juliusz Chroboczek wrote [...] > > The specification of "Stenberg-style security" for Babel was never > > published. It is June 2018 and I have never seen it, although I asked > > to. > > It was presented at IETF 101 in March 2018 (at which you were present). I confirm I attended IETF-101 in person and listened to Antonin's talk and slides about DTLS for Babel. I did not see a written specification. At the meeting I did bring up the need to see a written spec. So in this case "presented" does not go as far as "published". > The draft lives here: > > https://github.com/jech/babel-drafts/tree/master/draft-decimo-babel-dtls Thank you for making this update, I am glad a written specification of Babel DTLS now exists (i.e. has been published). I have been asking since early 2016. > I am not an author. Please ask the authors, not me, about why it hasn't > been published yet. As far as the commit history goes, the file was first added to the repository above on 25 June 2018 (four days ago), then it was updated three times on 27 June 2018 and two times on 29 June 2018 (today, last time about three hours ago). The file is a 325 lines long .xml file, which yields a .txt file, which is 8 pages long, 4 of which are boilerplates, the TOC, references and the likes. The other 4 pages are the actual specification. The document lists 3 authors. I have studied the document and I find it difficult to discuss right now, to be honest. -- Denis Ovsienko ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
> I am not an author. Please ask the authors, not me, about why it hasn't > been published yet. Little correction here, Juliusz is listed as 3rd author since a few days. It is planned to submit the draft as soon as possible. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [babel] about Babel security (questions for Juliusz Chroboczek)
Dear Denis,
Thank you very much for your kind mail.
Unfortunately, I think there might be some confusion:
- DTLS is Stenberg-style security;
- HMAC is Ovsienko-style security,
- it has four variants (7298, 7298bis, DKC, Stenberg)
- two of which have fatal flaws (7298 and 7298bis).
I am really sorry for causing confusion by using both DTLS and
Stenberg-style for what is the same thing, and for furthering this
confusion for using "Stenberg variant" for one variant of the HMAC
protocol.
> Another fact is, in early 2016 you were promoting the pre-IETF Babel
> work before and at the Babel BoF and claimed that besides the HMAC (then
> RFC 7298) approach to Babel security there was another viable
> alternative, namely, "Stenberg-style security". You were promoting the
> idea that the Babel WG should evaluate both mechanisms and choose the
> best.
> * Q1: Do you acknowledge these two facts and do you agree they are
> directly related? (yes/no, please explain if "no")
Yes, besides HMAC I have been advocating DTLS, also known as
Stenberg-style security. Markus Stenberg is a competent security
expert, and I always try to listen to his advice.
> The specification of "Stenberg-style security" for Babel was never
> published. It is June 2018 and I have never seen it, although I asked
> to.
It was presented at IETF 101 in March 2018 (at which you were present).
The draft lives here:
https://github.com/jech/babel-drafts/tree/master/draft-decimo-babel-dtls
I am not an author. Please ask the authors, not me, about why it hasn't
been published yet.
> * Q2: In 2016 did you know "Stenberg-style security" for Babel did not
> exist as a workable WG item in the first place? (yes/no)
DTLS, also known as Stenberg-style security, has been implemented by
Antonin Décimo and independently reimplemented by David Schinazi during
the spring of 2018. It took somewhat longer than expected, for various
reasons that are none of your business (such as Antonin wanting to pass
his exams).
> * Q3: Why were you promoting a WG option that either you didn't verify
> exists in the first place (if "no" above) or you definitely knew does
> not exist (if "yes" above)? Please explain.
I knew it didn't exist at the time. I was confident we could make it
happen. Antonin and David have made it happen, which shows that I was
right.
> At some point between 2016 and 2017 you stopped mentioning
> "Stenberg-style security" and began to promote DTLS for Babel
> security. The first "running code" prototypes (not implementations)
The two are the same thing. Sorry again for the confusion.
> * Q4: In 2016-2018 did you know a specification for the "DTLS" Babel
> security did not exist as a workable WG item? (yes/no)
Stenberg-style security and DTLS are the same thing, so my answer to Q2
applies.
> * Q5: same as Q3
Stenberg-style security and DTLS are the same thing, so my answer to Q3
applies.
> * Q6: Do you agree your long-time presenting effort had created and
> maintained an impression that the "alternative" security option was
> viable and workable by the Babel WG, regardless of its actual status
> at the time? (yes/no, please explain if "no")
Yes, I did believe that DTLS was viable, and did my best to communicate
this fact to the list. As explained in my answer to Q2 above, I maintain
that I was right.
> * Q7: If "yes" to Q6, was this impression what you intentionally were
> trying to achieve? (yes/no, please explain if "no")
Yes.
> * Q8: If "yes" to Q6, do you agree this impression has been influencing
> decision making in both Babel and Homenet WGs? (yes/no, please explain
> if "no")
I do not know. Please ask the WG participants.
> * Q9: Do you agree the end effect was that the work on HMAC Babel
> security was held back in the Babel WG? (yes/no, please explain if
> "no")
No. I have been actively promoting the HMAC work ("Ovsienko-style"), just
as I have been promoting the DTLS work ("Stenberg-style").
The HMAC work has been held up because 7298bis had fatal flaws.
> * Q10: After the WG decision about HMAC (which was in line with your
> latest position at the time) are you still maintaining that choosing
> between HMAC and DTLS would benefit the Babel WG? (yes/no, please
> explain if "yes")
I would like see both HMAC and DTLS published as Standards Track
documents. It will be a lot of work, but I am confident that we will
manage it.
I would prefer that we didn't choose between the two -- I want to have
both. As stated publicly at the microphone at IETF 101 in London, should
we be forced to choose, I would support HMAC. Of course, I may change my
opinion in the future, it depends on how HMAC and DTLS will develop.
> * Q11: If "no", could you explain why did not you denounce the idea on
> the mailing list with appropriate comments?
I do not understand the question. It is not my role to "denounce"
anything or anyone, I merely express my opinions, just like any o
[homenet] about Babel security (questions for Juliusz Chroboczek)
Hello Juliusz. This is about your contributions to the Babel and Homenet IETF working groups. Given the apparent flood of Babel security related messages you are sending to the Babel WG mailing list, I find it necessary to try putting it into proper context. I tried to attack the problem rather than the person, it is up to you to tell whether I managed to do that or not. In either case, I tried to leave you room to defend yourself and to correct me if I am wrong. A fact is, the Babel WG charter among other things has been saying: "Address security needs for BABEL. This may include using the techniques in RFC 7298, or other alternatives." Another fact is, in early 2016 you were promoting the pre-IETF Babel work before and at the Babel BoF and claimed that besides the HMAC (then RFC 7298) approach to Babel security there was another viable alternative, namely, "Stenberg-style security". You were promoting the idea that the Babel WG should evaluate both mechanisms and choose the best. * Q1: Do you acknowledge these two facts and do you agree they are directly related? (yes/no, please explain if "no") The specification of "Stenberg-style security" for Babel was never published. It is June 2018 and I have never seen it, although I asked to. * Q2: In 2016 did you know "Stenberg-style security" for Babel did not exist as a workable WG item in the first place? (yes/no) * Q3: Why were you promoting a WG option that either you didn't verify exists in the first place (if "no" above) or you definitely knew does not exist (if "yes" above)? Please explain. At some point between 2016 and 2017 you stopped mentioning "Stenberg-style security" and began to promote DTLS for Babel security. The first "running code" prototypes (not implementations) of Babel DTLS began to be discussed between late 2017 and early 2018 (as far as I could see in the mailing list archive). It is June 2018 and I have never seen the DTLS Babel security specification, although I have asked to. * Q4: In 2016-2018 did you know a specification for the "DTLS" Babel security did not exist as a workable WG item? (yes/no) * Q5: same as Q3 Whichever the name of it, mentions of the "alternative" Babel security have consistently been in your regular IETF slides, talks and status updates in the Babel and Homenet WGs, and occasionally elsewhere at IETF. This statement is as factual as the IETF meeting materials and witness of IETF participants including myself. * Q6: Do you agree your long-time presenting effort had created and maintained an impression that the "alternative" security option was viable and workable by the Babel WG, regardless of its actual status at the time? (yes/no, please explain if "no") * Q7: If "yes" to Q6, was this impression what you intentionally were trying to achieve? (yes/no, please explain if "no") * Q8: If "yes" to Q6, do you agree this impression has been influencing decision making in both Babel and Homenet WGs? (yes/no, please explain if "no") * Q9: Do you agree the end effect was that the work on HMAC Babel security was held back in the Babel WG? (yes/no, please explain if "no") In May 2018 the Babel WG had reached the decision not to adopt the HMAC I-D (7298bis) as a working group document. The adoption call lasted for more than 60 days, so every participant had a chance to comment. You supported the adoption at first and later withdrew your opinion in the course of the call. * Q10: After the WG decision about HMAC (which was in line with your latest position at the time) are you still maintaining that choosing between HMAC and DTLS would benefit the Babel WG? (yes/no, please explain if "yes") * Q11: If "no", could you explain why did not you denounce the idea on the mailing list with appropriate comments? Up to this point I could state I understand certain things even if I do not like them. Such as, for example, effectively saying "security is not my problem" in the Homenet Babel profile, or the need to consider DTLS for Babel security, or the decision not to use HMAC. But I kept getting out of the path, as that's what I expect from other people when I am working on something. Now there is something that I cannot understand in the first place: after the Babel WG decision you started to post HMAC-related messages to the mailing list. * Q12: Do you agree, in the sense of your own long time "DTLS or HMAC" idea and the claimed viability of DTLS, that the most consistent next step would be to work towards the adoption of a DTLS Babel security mechanism document? (yes/no, please explain if "no") * Q13: If "yes", could you explain in detail why you started to draw so much attention to HMAC after the WG decision and do not bring up DTLS anymore? I have tried to find (in the first few dozens of your messages) the supposed technical problem you are trying to solve. I could not see a sound technical point not already addressed in RFC 7298, 7298bis I-D or the mai
