I'm going to express my personal views here, though I believe they're both
cogent and sane:
On Mar 15, 2016, at 10:14 AM, Eliot Lear
<lear(_at_)cisco(_dot_)com<mailto:lear(_at_)cisco(_dot_)com>> wrote:
On 3/15/16 9:20 AM, Jari Arkko wrote:
I don’t have a solution, but I wanted to say that I feel the pain.
It is important that IETF documents are accessible via Tor.
I'll bite: why is it important that IETF documents be accessible via Tor?
Because Tor is another browser - actually several browsers, especially with
Orbot meaning that a **lot** of Android users transparently sit behind it - and
Tor is being used by a huge number of people.
I have three distinct lines of though regarding this:
= Accessibility =
We have long since left behind the world of "This Website is Best Viewed Using
[browser] in 1024x768 Screensize!" - because accessibility is important.
We don't pick-and-choose what browsers people use to access websites any more,
we embrace communication and leave them to render content in their preferred
way, from Tor through Chrome to screen-readers.
= Threat Models =
Is it really in your best interests to block people from your website?
If you're mostly a read-only site - and the IETF site appears to be onesuch -
then I would be amazed if a DDoS attack would come via Tor when it would be so
much more effective and easier to set up coming from some random Botnet.
Simple economics suggest that the best way to knock the IETF website offline is
to use a Botnet - so if (and perhaps I am wrong) the IETF wants to defend
itself against DDoS, to block Tor is to defend yourself against the wrong tuple
of (threat, actor) - if Tor is a threat to the IETF website at all.
If IETF was worried about having its content scraped-and-duplicated, yes I
could totally see Tor as a risk to the IETF website; but I am not aware of that
being part of the IETF threat model, else you'd require logged-in access
already.
= Addresses Are Not People =
IP Reputation Systems are (at best) a hint, not a panacea, and we should
remember that.
Elsewhere - to politicians, to activists - I've had to repeatedly explain that
"1 IP Address != 1 Human Being", that you can't simply arrest the person who
pays the ISP because their IP address apparently downloaded a movie; yet
sometimes we are weirdly blind to the inverse, we seem happy to draw red lines*
around chunks of internet space and call them "bad places", where only
"unpeople" live.
It's not really logical to hold both perspectives firmly and simultaneously -
sometimes an IP address is just one person. And - conversely - behind those
red lines drawn on the network map are an enormous number of normal, good
people. Probably more good people than bad.
So why make communication and participation harder for them?
-a
* https://en.wikipedia.org/wiki/Redlining
--