Hi Yoav,
On 12/15/2013 6:39 AM, Yoav Nir wrote:
On Dec 14, 2013, at 6:49 PM, Hector Santos <hsantos(_at_)isdg(_dot_)net> wrote:
Personally, I think all (new) IETF documents need a greater review in regards
to their ethical and moral impact on society.
And to think that less than 9 years ago, RFC 4041 was considered an April
Fool's RFC.
Yoav
Its a new normal, I suppose. RFC2821 once believed that "an arrogant
user" was a small email problem:
7.1. Mail Security and Spoofing
This specification does not further address the authentication issues
associated with SMTP other than to advocate that useful functionality
not be disabled in the hope of providing some small margin of
protection against an ignorant user who is trying to fake mail.
Its update, RFC5321, still believes its a small problem but the user
is no longer arrogant:
This specification does not further address the authentication issues
associated with SMTP other than to advocate that useful functionality
not be disabled in the hope of providing some small margin of
protection against a user who is trying to fake mail.
We understand why it was done, but really, how silly was all that to
begin with!? This (spoofing potential) was a known issue since RFC821
and it predated with other mail networking protocols was well!
The mindset does need to change.
Of course, the dilemma is how does the IETF community get involved in
the growth of applications increasing leverage data that was once
considered private or out of bounds for transmission? How does it
provide its input?
Good example, did Apple open a can of worms, "Pandora's Box" with its
iPhone 5S "Touch ID" technology? Does this introduce all sorts of
future pervasive privacy, security, monitoring, tracking, identify
theft, etc, problems at all levels? The BI value of this will be
tremendous, but commercially and for national security. This
automation in user identification will be leverage, no doubt, MBA 101.
Bank it. Consider, can the government issue a court order to obtain
the database of the billions of Touch ID fingerprint recordings in the
name of security, searching for person of interest Apple Network of
users? Surely, this issue will be before us one day.
I'm just winging it, perhaps an IETF security-based I-D that suggest
what kinds of data MUST|SHOULD|MAY NOT collected, stored nor
transmitted over the internet? Already done?
Anyway, I don't think every author, developer can muster all system
level things that can be considered. This is why we do need the
"Internet/IETF Elders" to be involved in the ethical and moral reviews
of these super fast tracked documents, and mind you, now increasingly
proposed as a "Standard" as opposed as just informational, new
documents to see if the docs themselves are not ultimately April's
fools jokes.
It probably will not change much, but it will at least make people
(future developers) think, a few times, about what they are doing.
Perhaps it will just slow it down. I'm sure many of us has gone thru
this in the past where we could of been billionaires if we just were
not so god darn ethical with user private data. We didn't expose it,
not because we know it was not possible, but it was just wrong to do so.
Thanks
--
HLS