Re: Hum theatre


On Nov 6, 2013, at 6:23 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:

    The IETF needs to press for careful attention to privacy
    concerns in its work, including protection against surveillance.

         [ ]  No
         [ ]  Yes
         [ ]  Don't Yet Know
         [ ]  Don't Care


I guess that as a technologist I need a little more information.

First, as the questions were asked this morning and as you suggested they might 
have been reworded, the implication of a "yes" is that we will go back to each 
protocol we have deployed or in design and "do something" to make it more 
private, including protection against surveillance. I'm not sure we're likely 
to, for example, change RFC 791 to make it less available to surveillance, or 
for that matter RFC 2640. I'm not sure exactly how to change UDP, TCP, SCTP, 
and so on. Yes, there are some fields that could probably be encrypted, and 
doing so using IPsec ESP has some value in terms of integrity checking end to 
end. But I'm not sure that this would have an impact on privacy. ICMP? ARP? ND? 
OSPF? IS-IS?

So if the question is "all protocols", I'm not sure it is appropriate for all 
of our protocols to be changed, because I'm not sure that they face threats 
that we can effectively mitigate.

As we get further up-stack, the application of TLS or DTLS, and anything that 
would help with pervasive use of OpenPGP-or-whatever, would be a good thing. 
Where we have protocols that could usefully use TLS/DTLS and don't, we can 
address that, and I suspect it might be appropriate for the relevant working 
groups to amend their charters accordingly. In those cases, I would agree that 
the IETF SHOULD (not "needs to", this is a question of will and direction, not 
necessity) pay careful attention to privacy concerns in its work, including 
protection against surveillance.

After that, it's operational. If a site it deploying http and we might prefer 
it used https, running out and changing the protocol isn't going to fix 
anything. The operator of the site in question needs to change protocols to 
https - or something like that.

So, which protocols are under discussion, and what security/monitoring/privacy 
threats does each face? Where our protocols face legitimate threats, yes, we 
SHOULD address them. 

I'm not sure feel-good statements say much.

signature.asc
Description: Message signed with OpenPGP using GPGMail

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Hum theatre, (continued) Re: Hum theatre, Paul Hoffman Re: Hum theatre, Dave Crocker Re: Hum theatre, Christian de Larrinaga Re: Hum theatre, Arturo Servin Re: Hum theatre, Bob Hinden Re: Hum theatre, Scott Brim Re: Hum theatre, Dave Crocker Re: Hum theatre, Scott Brim Re: Hum theatre, Jari Arkko Re: Hum theatre, Jorge Amodio Re: Hum theatre, Fred Baker (fred) <= Hum theatre, Abdussalam Baryun Re: Hum theatre, Fred Baker (fred) Re: Hum theatre, Stefan Winter Re: Hum theatre, "Martin J. Dürst" Re: Hum theatre, Fred Baker (fred) Re: Hum theatre, Francis Dupont Re: Hum theatre, Stefan Winter Re: Hum theatre, Larry Masinter