Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens

On 12/05/2013 02:41 PM, Josh Howlett wrote:
> Stephen,
>
> Yes I agree its necessary, but its not the hard part of the problem.
> We are focusing on implementation detail, 
Great, I think we agree on that, maybe with slightly
different emphases.

> at the expense of the meaty
> political problems; namely, (1) establishing the level of monitoring
> civil society is willing to tolerate (on the spectrum none to
> pervasive) and (2) building whatever legislative consensus is
> necessary to enforce that. 
Those may be good things for folks to do in various other
places, but I don't think they're for the IETF to do.

Cheers,
S.

> Moving straight to (3) the solution space
> may deliver specs and running code, but not the motivations to deploy
> it (or worse, incentives not to). I applaud the effort, even if it
> only serves to incrementally improve on the status quo, but given
> your adversaries I fear it is already doomed before it has started.
> Seriously, best of luck anyway :-)
>
> Josh. ________________________________ From: Stephen
> Farrell<mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> Sent: 
> ‎05/‎12/‎2013 12:41 
> To: Josh Howlett<mailto:Josh(_dot_)Howlett(_at_)ja(_dot_)net> Cc:
> perpass<mailto:perpass(_at_)ietf(_dot_)org>; IETF
> Discussion<mailto:ietf(_at_)ietf(_dot_)org> Subject: Re: [perpass] Commnets on
> draft-farrell-perpass-attack-00 was RE:
> perens-perpass-appropriate-response-01
>
>
> Josh,
>
> On 12/05/2013 12:28 PM, Josh Howlett wrote:
> > Hi Stephen,
> >
> > I absolutely agree that the technical work is necessary, but it is
> > not sufficient.
> So you agree this draft is necessary? If so, good.
>
> Nobody (sensible) claimed it was sufficient by itself to stop 
> pervasive monitoring. It can nonetheless improve the Internet in any
> case, both when considering the pervasive monitoring threat and other
> threats. If e.g. the UTA WG is chartered later today then what
> they're going to do, which is directly spurred by this overall
> discussion, could significantly improve e.g. SMTP security.
>
> > The political environment controls the legal and regulatory
> > environment within which CEOs, their lawyers, and the other minions
> > whose role is to minimise corporate risk exposure, take the
> > decisions on which products and services reach the market.
> >
> > The technical community can obviously choose to do the work
> > regardless, but in the absence of conformant products and services
> > it runs the risk of being a paper exercise.
> That seems to apply to any new work that anyone does in the IETF and
> is not a reason to do nothing.
>
> > I am sympathetic to your argument that the technical work could
> > happen in advance of policy,
> That is not my argument. The technical work should happen and for
> technical reasons.
>
> > but that hands the advantage to the adversary who can use this
> > intelligence to advance blocking political measures.
> Game theory is fun, but not particularly productive for this draft
> IMO. That'd be more relevant for specific bits of protocol work where
> it might be the case that one could consider how an adversary could
> react to a particular mitigation for this or other threats. At the
> level of this draft I don't think there's anything useful to be done
> in that respect.
>
> Cheers, S.
>
> > I also agree that it is unfortunate that none of the numerous
> > acronyms that claim to have a remit in Internet policy are working
> > with the technical community. In the majority of the capitols of
> > Europe there is clearly a political appetite to roll pervasive
> > monitoring back, and these acronyms would be pushing on an open
> > door (and, in fairness, perhaps they already are but it is not
> > obvious to the outside world). It is not far from Geneva to
> > Brussels...
> >
> > Josh.
> >
> > On 05/12/2013 11:09, "Stephen Farrell" 
> > <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
> > wrote:
> >
> > > Josh,
> > >
> > > On 12/05/2013 10:53 AM, Josh Howlett wrote:
> > > > I fully support action to increase security, where it responds
> > > > to the prevailing threat environment. But it will be a
> > > > perpetuation of the naivety that has characterised this debate
> > > > to think that this alone will halt pervasive monitoring,
> > > > because the threat is not technical in nature.
> > > Personally, I think anyone using the argument that "you can't
> > > solve the problem therefore do nothing" is talking about the same
> > > amount of nonsense as anyone who says "the IETF can halt
> > > pervasive monitoring."
> > >
> > > You don't quite say either of those above, but neither do you 
> > > acknowledge that the draft in question, and all the sensible
> > > discussion (which is far from all the discussion;-) around that
> > > fully acknowledges that the technical things that can and should
> > > be done are only part of the story.
> > >
> > > > The technical response must be coordinated with a political
> > > > response, or else the perpetrators will find political means to
> > > > route around the technical measures.
> > > I disagree with "must be coordinated" for various reasons.
> > >
> > > Given the time it takes for us to do our part, which is measured 
> > > in years before we get good deployment, imposing a requirement to
> > > start with coordination would mean doing nothing ever.
> > >
> > > Secondly, with whom would we coordinate? Again, trying to impose 
> > > a requirement for coordination with a non-existent Internet-wide 
> > > political entity is tantamount to doing nothing.
> > >
> > > If some other folks outside the IETF are working on the same 
> > > issues that'll be good or bad, and for some such activities
> > > it'll be useful for us to know about and consider them. And maybe
> > > it'll be useful for others to know what we're up to, but we
> > > should not wait.
> > >
> > > > The political response shouldn't be organised within the IETF,
> > > > but it does need to liaise with those responsible for doing
> > > > that.
> > > "The" political response? You expect only one? Again, I don't 
> > > think we should hang around waiting - we should document the 
> > > consensus from Vancouver and then follow that through in our 
> > > normal work within working groups and elsewhere - considering 
> > > threats, including this one, as we develop protocols.
> > >
> > > > Unfortunately I am not observing any movement by any of the
> > > > other parties within our wonderful multi-stakeholder system
> > > > that you would think would be notionally responsible for this.
> > > > My fear is that they are opting to drink the technology
> > > > Kool-Aid, to avoid grasping the political nettle. That is what
> > > > should be concerning us right now.
> > > Fully disagree. Its us should be grasping nettles and working to
> > > improve the security and privacy properties of our protocols.
> > >
> > > Regards, S.
> >
> > Janet(UK) is a trading name of Jisc Collections and Janet Limited,
> > a not-for-profit company which is registered in England under No.
> > 2881024 and whose Registered Office is at Lumen House, Library
> > Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
> > 614944238
> >
> > _______________________________________________ perpass mailing
> > list perpass(_at_)ietf(_dot_)org 
> > https://www.ietf.org/mailman/listinfo/perpass
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>  not-for-profit company which is registered in England under No.
> 2881024 and whose Registered Office is at Lumen House, Library
> Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
> 614944238
>
> _______________________________________________ perpass mailing list 
> perpass(_at_)ietf(_dot_)org https://www.ietf.org/mailman/listinfo/perpass