On 4/7/2017 12:37 PM, Eliot Lear wrote:
On 4/7/17 5:24 AM, Martin Thomson wrote:
To the extent that we have the tools necessary to protect against pervasive
monitoring, we have to accept that more-legitimate uses of monitoring are
collateral[...]
... DAMAGE.
You couldn't even say the word.
The whole point of the document is to expand upon the implications of
what operational practices are impacted in an encrypted world. That
doesn't mean people should stop encrypting, but it does mean that we
should understand what is breaking. To do otherwise is to stick our
heads in the sand. Let's not do that. And let's not question whether a
particular function is "legitimate" which ironically applies a value
judgment, something that you yourself complained about.
Better to focus on whether the impact of encryption has indeed been well
documented.
Having read draft-mm-wg-effect-encrypt-10, I agree with Martin. This
draft is hard to read, and provides a confusing mix of business goals,
techniques, and complaints. My personal recommendation, like Martin's,
is that it would benefit from a thorough rewrite before publication.
I also agree with Martin's recommendation to leave QUIC out of this
business, since it is not standardized yet. The proper place for the
QUIC related text is in a contribution to the QUIC WG.
The draft presents a number of practices, but does not really articulate
practices and business goals. In fact, it starts from the practices,
instead of starting from the goals. My recommendation would be to start
by articulating the "business goals" such as Parental Control, Spam
Filtering, Phishing Prevention, Data Leak Prevention, Insertion of
Super-Cookies, Traffic Engineering, Traffic Prioritization, Data
Compression, Traffic Intercept, Censorship, or Load Balancing. The draft
could then explain how each of these goals are performed by a variety of
techniques, some of which are deployed on the end points, and some other
at various places in the network using a variety of techniques,
including header analysis and deep packet inspection. And then the draft
could have another section explaining how network-based techniques may
or may not be affected by the deployment of encryption.
As a bonus point, we could also note that many of the business goals are
somewhat controversial, and state the controversy.
But the current draft is too confusing for being endorsed by the IETF.
-- Christian Huitema
Eliot
ps: but I agree with your point about statistics.
signature.asc
Description: OpenPGP digital signature