Hi, a couple of quick comments:
> NEW: > $ Traffic Analysis: The inference of information from observation > of traffic flows (presence, absence, amount, direction, timing, packet > size, packet composition, and/or > frequency), even if flows are encrypted. See [RFC4949]. I would add to these "identities of the communicating parties" and "location". > You end up having to reconcile accountability and anonymity. From a security > point of view, you want to fingerprint everybody so that you can identify the > person you dislike and send him/her to jail. From a privacy point of view, > you want a person to be able to communicate freely. The difference between "security" and "privacy" is, imho, dependent on the stakeholder whose security is to be protected, and not to the nature of the "security property" (accountability, anonymity). For example, we would call it "security" (even "national security") if the entity "communicating freely" was a military organization instead of an individual. So, if your perspective is the one of the entity in a position to perform surveillance (with the power to act based on the collected intelligence), then "security" tends to be equated with "accountability" (which often relies on some form of surveillance). If on the other hand your perspective is that of the entity being potentially subject to surveillance, then security would be closer to "anonymity". If that entity is a gov/commercial organization, then "security" is the term likely to be used for the properties you want to achieve, while for those same properties "privacy" is the usual term when the entity is a private individual. Best regards Claudia PS: wishing i had more time to look into the full document and all the discussions. _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
