Aw: Re: Fwd: W3C/IAB workshop on Strengthening the Internet Against Perv

Hi Hector, 
 
with fingerprinting we are actually referring to what is defined in RFC 6973 as:
 
   $ Fingerprinting:  The process of an observer or attacker uniquely
      identifying (with a sufficiently high probability) a device or
      application instance based on multiple information elements
      communicated to the observer or attacker.  See [EFF].

There has been some work on that topic by the W3C and you can find an 
interesting, work-in-progress document maintained by Nick Doty at: 
http://w3c.github.io/fingerprinting-guidance/
 
Fingerprinting has been discussed in the context of the Do Not Track work and 
is of particular interest to advertising companies. 
 
Ciao
Hannes
 
 
Gesendet: Donnerstag, 16. Januar 2014 um 16:58 Uhr
Von: "Hector Santos" <hsantos(_at_)isdg(_dot_)net>
An: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
Cc: IETF-Discussion <ietf(_at_)ietf(_dot_)org>
Betreff: Re: Fwd: W3C/IAB workshop on Strengthening the Internet Against 
Pervasive Monitoring (STRINT)
What I found interesting is the itemized STRINT question:

How realistic is it to not be fingerprintable on the web and
Internet?

Like its a foregone conclusion it is already too late. If we are
literally talking about "fingerprints" well, we already have a major
vendor, probably the most significant one at present, that has opened
that can of worms. Of course, I'm referring to Apple's TouchID with
the iPhone 5S.

Part of the problem in all this is the business, social engineering
ethics in these architectural decisions, which is increasingly more
market related. So I wonder if its realistic to even ponder:

As a security rule of thumb, should systems first consider NOT
introducing
"fingerprints" or identification methods without having
protection for users?

Its a different way of thinking -- sometimes you just "Don't do it"
unless you are 100% sure you can do it right.

Its a great idea, but surely it will be leverage, exploited and
somehow, one way or another, inevitably, besides the advertisement
market, the government, policing agencies will want access to the huge
database of fingerprints or "identification tokens," of course, in the
name of security, to search a person of interest for the closest match.

The IETF has the ethics document RFC1087. I have asked if anyone
believes this should be updated. Surely this is tied to PM. Odd. It
seems odd no one doesn't seem to think it needs to be updated. I
don't see the PM draft reference it. Should it? I think so, and this
RFC1087 document SHOULD be updated.

Anyway, we will be competing with business market pressures and these
PM related issues most likely boil down to ethical principles which
has changed over years. We have new a new generation of
"Infopreneurs" who surely do not have the same mindset for design
engineering "taboos," in fact, its natural to consider that
unrestricted communications is the norm.

--
HLS


On 1/16/2014 7:53 AM, Stephen Farrell wrote:
> And as is traditional, we've added a few days:-)
>
> Final deadline is end of Monday Jan 20 anywhere
> on Earth (== 1200 UTC Jan 21). And that will be
> a hard deadline.
>
> There's also a bit more logistics stuff now at [1].
>
> Cheers,
> S.
>
> [1] https://www.w3.org/2014/strint/[https://www.w3.org/2014/strint/]
>
> On 01/09/2014 01:55 PM, Stephen Farrell wrote:
> > Folks, submissions are starting to roll in so this is
> > a reminder to send yours by Jan 15. We'll be posting
> > more logistics next week(-ish) as well in case you're
> > wondering.
> >
> > Thanks,
> > S.
> >
> >
> > -------- Original Message --------
> > Subject: W3C/IAB workshop on Strengthening the Internet Against
> > Pervasive Monitoring (STRINT)
> > Date: Sun, 1 Dec 2013 10:48:15 -0500
> > From: IAB Chair <iab-chair(_at_)iab(_dot_)org>
> > To: IETF Announce <ietf-announce(_at_)ietf(_dot_)org>
> > CC: IAB <iab(_at_)iab(_dot_)org>, IETF <ietf(_at_)ietf(_dot_)org>
> >
> >
> > W3C/IAB workshop on Strengthening the Internet
> > Against Pervasive Monitoring (STRINT)
> > ======================================
> >
> > Logistics/Dates:
> >
> > Submissions due: Jan 15 2014
> > Invitations issued: Jan 31 2014
> > Workshop Date: Feb 28 (pm) & Mar 1 (am) 2014
> > To be Confirmed - could be all day Mar 1
> > Location: Central London, UK. IETF Hotel or nearby (TBC)
> > For queries, contact: stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie, 
> > tech(_at_)strews(_dot_)eu
> > Send submissions to: group-strint-submission(_at_)w3(_dot_)org
> > Workshop web site: 
> > http://www.w3.org/2014/strint/[http://www.w3.org/2014/strint/]
> >
> > The Vancouver IETF plenary concluded that pervasive monitoring
> > represents an attack on the Internet, and the IETF has begun to
> > carry out various of the more obvious actions [1] required to
> > try to handle this attack. However, there are additional much
> > more complex questions arising that need further consideration
> > before any additional concrete plans can be made.
> >
> > The W3C and IAB will therefore host a one-day workshop on the
> > topic of "Strengthening the Internet Against Pervasive
> > Monitoring" before IETF-89 in London in March 2014, with support
> > from the EU FP7 STREWS [2] project.
> >
> > Pervasive monitoring targets protocol data that we also need for
> > network manageability and security. This data is captured and
> > correlated with other data. There is an open problem as to how
> > to enhance protocols so as to maintain network manageability and
> > security but still limit data capture and correlation.
> >
> > The overall goal of the workshop is to steer IETF and W3C work
> > so as to be able to improve or "strengthen" the Internet in the
> > face of pervasive monitoring. A workshop report in the form of
> > an IAB RFC will be produced after the event.
> >
> > Technical questions for the workshop include:
> >
> > - What are the pervasive monitoring threat models, and what is
> > their effect on web and Internet protocol security and privacy?
> > - What is needed so that web developers can better consider the
> > pervasive monitoring context?
> > - How are WebRTC and IoT impacted, and how can they be better
> > protected? Are other key Internet and web technologies
> > potentially impacted?
> > - What gaps exist in current tool sets and operational best
> > practices that could address some of these potential impacts?
> > - What trade-offs exist between strengthening measures, (e.g.
> > more encryption) and performance, operational or network
> > management issues?
> > - How do we guard against pervasive monitoring while maintaining
> > network manageability?
> > - Can lower layer changes (e.g., to IPv6, LISP, MPLS) or
> > additions to overlay networks help?
> > - How realistic is it to not be fingerprintable on the web and
> > Internet?
> > - How can W3C, the IETF and the IRTF better deal with new
> > cryptographic algorithm proposals in future?
> > - What are the practical benefits and limits of "opportunistic
> > encryption"?
> > - Can we deploy end-to-end crypto for email, SIP, the web, all
> > TCP applications or other applications so that we mitigate
> > pervasive monitoring usefully?
> > - How might pervasive monitoring take form or be addressed in
> > embedded systems or different industrial verticals?
> > - How do we reconcile caching, proxies and other intermediaries
> > with end-to-end encryption?
> > - Can we obfuscate metadata with less overhead than TOR?
> > - Considering meta-data: are there relevant differences between
> > protocol artefacts, message sizes and patterns and payloads?
> >
> > Position papers (maximum of 5 pages using 10pt font or any
> > length Internet-Drafts) from academia, industry and others that
> > focus on the broader picture and that warrant the kind of
> > extended discussion that a full day workshop offers are the most
> > welcome. Papers that reflect experience based on running code
> > and deployed services are also very welcome. Papers that are
> > proposals for point-solutions are less useful in this context,
> > and can simply be submitted as Internet-Drafts and discussed on
> > relevant IETF or W3C lists, e.g. the IETF perpass list. [3]
> >
> > The workshop will be by invitation only. Those wishing to attend
> > should submit a position paper or Internet-Draft. All inputs
> > submitted and considered relevant will be published on the
> > workshop web page. The organisers (STREWS project participants,
> > IAB and W3C staff) will decide whom to invite based on the
> > submissions received. Sessions will be organized according to
> > content, and not every accepted submission or invited attendee
> > will have an opportunity to present as the intent is to foster
> > discussion and not simply to have a sequence of presentations.
> >
> > [1] 
> > http://down.dsg.cs.tcd.ie/misc/perpass.txt[http://down.dsg.cs.tcd.ie/misc/perpass.txt]
> > [2] http://www.strews.eu/[http://www.strews.eu/]
> > [3] 
> > https://www.ietf.org/mailman/listinfo/perpass[https://www.ietf.org/mailman/listinfo/perpass]