hi Scott, all,
On Sep 6, 2013, at 3:45 PM, Scott Brim <scott(_dot_)brim(_at_)gmail(_dot_)com>
wrote:
I wouldn't focus on government surveillance per se. The IETF should
consider that breaking privacy is much easier than it used to be,
particularly given consolidation of services at all layers, and take
that into account in our engineering best practices. Our mission is
to make the Internet better, and right now the Internet's weakness in
privacy is far from "better".
Indeed, pervasive surveillance is merely a special case of eavesdropping as a
privacy threat, with the important difference that eavesdropping (as discussed
in RFC 6973) explicitly has an target in mind, while pervasive surveillance
explicitly doesn't. So what we do to improve privacy will naturally make
surveillance harder, in most cases; I hope that draft-trammell-perpass-ppa will
evolve to fill in the gaps.
The mandatory security considerations
section should become security and privacy considerations. The
privacy RFC should be expanded and worded more strongly than just nice
suggestions. Perhaps the Nomcom should ask candidates about their
understanding of privacy considerations.
Having read RFC 6973 in detail while working on that draft, I'd say it's a very
good starting point, and indeed even consider it required reading. We can
certainly take its guidance to heart as if it were more strongly worded than it
is. :)
Cheers,
Brian