ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice

2013-12-16 07:52:46
from [Stephen Farrell] [Permanent Link] 

Hiya,

For the record...

On 12/13/2013 01:13 PM, Eliot Lear wrote:

Stephen,

On 12/13/13 2:04 PM, Stephen Farrell wrote:


Anyway, how's this for a suggestion, say placed somewhere near
the end of section 2:

   Working groups and other sources of IETF specifications
   need to be able to describe how they have considered
   pervasive monitoring, and if the attack is relevant to
   their work, to be able to justify related design
   decisions.

   This does not mean that a new "pervasive monitoring
   considerations" is required in Internet-drafts or
   other documentation - it simply means that, if asked,
   there needs to be a good answer to the question "is
   pervasive monitoring relevant to this work and if so
   how has it been addressed?"




Thank you, that is precisely the sort of text I was looking for.


I just has a chat with Stewart Bryant about these changes
and he suggested one further tweak to the above. His concern
was that we shouldn't e.g. jump on the first minor new spec
tweak to come out of some WG and insist that the WG go back
and fix years of earlier work to be better at dealing with
the pervasive monitoring attack, if that spec is just say
defining some new TLV or mail header field or something
and doesn't have anything to do with the attack really.

So that'd be something like:

    Working groups and other sources of IETF specifications
    need to be able to describe how they have considered
    pervasive monitoring, and if the attack is relevant to
    the work to be published, to be able to justify related
    design decisions.

    This does not mean that a new "pervasive monitoring
    considerations" is required in Internet-drafts or
    other documentation - it simply means that, if asked,
    there needs to be a good answer to the question "is
    pervasive monitoring relevant to this work and if so
    how has it been addressed?"

The change is s/their work/the work to be published/
which seems like a good change to me so I'll incorporate
that.

The intent here is not to hand out a get-out-of-jail card
but rather to encourage us to ask the questions about
pervasive monitoring at the appropriate times and not
have it as a big stick that's used to beat up every
innocent little Internet-draft:-)

Cheers,
S.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Be liberal in what you accept? (was: Re: Last call comments: draft-farrell-perpass-attack), Stefan Winter
Next by Date:  Re: Last call comments: draft-farrell-perpass-attack, Sam Hartman
Previous by Thread:  Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice, Eliot Lear
Next by Thread:  Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice - extended, Jari Arkko
Indexes:  [Date] [Thread] [Top] [All Lists]