--On Monday, April 06, 2015 19:22 +0100 Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> wrote:
And I quite simply disagree with this approach. I think FTP
provides an interesting test case and context under which to
consider the more general question.
Really? I honestly don't get why FTP is at all "interesting"
from the privacy of access POV. Can you explain?
I don't know what Ned's answer to that is, but I addressed it in
my earlier note on the subject.
Observing again that what I'm about to say is very nearly
irrelevant to the question of whether IETF should eliminate a
particular FTP service...
Unless we have reached the point that the only way that we can
think about privacy is in terms of simple end to end connections
and encrypted tunnels (and I don't think we have), then FTP's
model of separate (and potentially asynchronous) command and
data connections, the ability to select data ports from either
end, and the possibility of third-party transfers would seem to
pose some interesting security and privacy opportunities as well
as challenges.
To the extent that our privacy concerns extend to not wanting to
leak information from the relationship between a single client
and a single server, forcing both connection channels into the
same pipe (however encrypted) casts off several opportunities.
I'm not sure whether they are worth exploiting, but not
examining them and discarding or deprecating FTP on the grounds
that it is an ancient protocol doesn't seem like good
engineering to me.
john