ietf
[Top] [All Lists]

Re: [perpass] draft-farrell-perpass-attack architecture issue

2014-01-14 16:10:26
On Tue, Jan 14, 2014 at 4:45 PM, Fred Baker (fred) <fred(_at_)cisco(_dot_)com> 
wrote:
So the question in the shepherd's report should not be "tell me you thought 
about the EU Data Retention Initiative and whether your protocol's data 
identifies an individual". It should be "what personal, equipment, or session 
identifiers, encrypted or otherwise, are carried in your protocol? How might 
they be correlated with offline data or otherwise used to infer the identity 
or behavior of an individual?"

The main problem is that: privacy issues are deeper than that, the
question could be misunderstood without a larger context, and there's
already a set of documents discussing most of that larger context (RFC
6973, the perpass problem statement draft, etc.).

The Document Shepherd Write-Up currently doesn't reference security
guidelines directly. Instead of asking a few specific questions in the
shepherd's writeup as you suggest, consider adding the privacy/perpass
docs to BCP 72 (which already includes RFC 3552) as they are approved,
and then optionally add a question to the shepherd's writeup that
refers to it, in order to emphasize the increased attention to the
issue.

Scott