jericho 4 – commandments 4 – 8

Jericho…commandments…yeah, I can see the searches that drag people here now…great. I’m continuing my look at the commandments from the Jericho Forum. This is commandment 4 which bears the header, Surviving in a Hostile World.

Devices and applications must communicate using open, secure

– Security through obscurity is a flawed assumption – secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use
– The security requirements of confidentiality, integrity and availability (reliability) should be assessed and built in to protocols as appropriate, not added-on

– Encrypted encapsulation should only be used when appropriate and does not solve

Oh boy! We hit some tender spots here! I think the assumption about using open protocols is that the more open something is the more secure. I guess if you fully believe in a strict interpretation of the first bullet point, this makes sense. But I find it a dubious claim to accept across the board. They have a point about things being open. Take Skype for instance. I dislike Skype because I have no idea what their encryption consists of because it is not open. Still, I can accept this commandment as part of an ideal framework, but I don’t think that reflect reality.

I don’t like bullet 1 at all. Security through obscurity is life; deal with it. Security through obscurity alone is not security. That’s the proper usage of that phrase. Utilizing obscurity can reduce your risk. Changing the SSH server port to TCP 23412 will lower your risk, but true, it won’t increase the inherent security of the SSH server itself. So strictly speaking, I don’t buy this bullet point. Also, there are times where if we opened up a protocol to peer review and acceptance, we’ll spend 25 years over-analyzing and trying to provide a consensus, and then look back at the bloated monster of a protocol that results. Yikes.

The second bullet makes me think what we’re hoping for are god-like tentacles of protocols on the Internet. I just don’t think that is going to work. We need simple, small, extensible protocols. They should be solid, scalable, and work well. Confidential? I don’t quite buy that…and I’m interested in security. Take the simple building blocks and secure them. I don’t know what bullet three is referring to, so I’ll skip that one.

All devices must be capable of maintaining their security policy on
an untrusted network

– A “security policy” defines the rules with regard to the protection of the asset
– Rules must be complete with respect to an arbitrary context
– Any implementation must be capable of surviving on the raw Internet, e.g., will not
break on any input

Again, I get the feeling we’re striving for a framework no one can attain. That’s not a good goal. This commandment sounds good on one hand, but one bullet and one implication make this taste bitter.

First, I agree that devices need to maintain their security when away from the nest. My caveat comes when a security policy needs to be updated or changed. What then? Does this not mean a digital form of sneakernet or centralized management? This makes me feel like our devices all need to be like H3 Hummers; tanks driving around the big bad roadways. Ugh.

The first two bullets are no-brainers. The third bullet sounds nice, until that last little bit. Will not break on any input. Well, that’s great. Again, a nice ideal, but trying to build perfect devices and security by using imperfect people is a stretch for me.

Next, I’m blocking commandments 6-8 into one section since they seem to cover similar ground.

All people, processes, technology must have declared and
transparent levels of trust for any transaction to take place

– Trust in this context is establishing understanding between contracting parties to conduct a transaction and the obligations this assigns on each party involved
– Trust models must encompass people/organisations and devices/infrastructure
– Trust level may vary by location, transaction type, user role and transactional risk

Mutual trust assurance levels must be determinable

– Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data
– Authentication and authorisation frameworks must support the trust model

Authentication, authorisation and accountability must interoperate / exchange outside of your locus / area of control

– People/systems must be able to manage permissions of resources and rights of users they don’t control
– There must be capability of trusting an organisation, which can authenticate individuals or groups, thus eliminating the need to create separate identities
– In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or once instance with multiple facets
– Systems must be able to pass on security credentials /assertions
– Multiple loci (areas) of control must be supported

I’m not really sure how to take these three commandments. It sounds like it would be satisfied with a global identification and trust system. That would certainly be fairly perimeterless! But that will never happen, especially in the US. In fact, it is that third bullet, about having trust levels varying, that make me still believe there are perimeters. When a trust level changes, that’s where you put some access control. Network access control. Anyway, I can’t be too dogged on these three commandments since I don’t fully get it.

So what we have so far is very heart-warming, feel-good idealistic goals for a global infrastructure (extrastructure?) utilizing perfect or near perfect protocols and devices that can withstand anything. Sorry, but what the fuck…?

jericho 1 – de-perimeterization and the jericho forum commandments
jericho 2 – the jericho forum and the de-perimeterization solution
jericho 3 – the first three commandments: the fundamentals
jericho 4 – commandments 4 – 8
jericho 5 – commandments 9-11
jericho 6 – my conclusions