There are a lot more threats to privacy than just the NSA
We currently do not have a concise catalog the basic 'privacy' threats
and their typical mitigations, appropriate for concern with IETF
protocols. In effect, every new protocol effort must start with a blank
sheet, and invent its own list of threats and possible protections
against them.
One common outcome from this is that we tend to think of very localized
mechanisms, rather than end-to-end. So we assume a model of things
being one-hop or we implicitly trust intermediaries. (Hint, the web is
often not 1-hop, what with proxies, etc...)
We need privacy templates for protocol design.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net