On 12/16/2013 09:07 PM, Andrew Sullivan wrote:
On Mon, Dec 16, 2013 at 08:39:47PM +0000, Stephen Farrell wrote:
I disagree. Even if X% of people agreed or approved or authorized
the attack, it would still be an attack.
But this leads you immediately down the path to the objection that
inspired my suggestion: lots of things that you might _want_ for
yourself qualify as an attack under the draft as written. Google
analytics is not an attack even under the slightly funny meaning of
"attack" we're using here; it's a management tool. The draft actually
makes this point, in that it notes that there's a tension between
making networks managable and mitigating pervasive monitoring. I
think it's necessary to add some sort of indication of what principles
can be used to resolve that tension.
Google analytics is not an IETF protocol though. More generally,
I don't think we can fully characterise that tension as it'll
have to be worked out as we do the work on real protocols and
learn what we learn. I figure the right thing for now is to
recognise that tension and if it does resolve itself in future
into some nice sharp set of distinctions then we can update the
BCP then. I doubt it will though. But that's ok.
And don't forget that we are not here saying that all IETF
protocols MUST be proof against pervasive monitoring - email
for example isn't and we're not going to stop sending mail.
So I think its just fine that we figure this out over time.
S.
Best regards,
A