On Feb 26, 2013, at 14:11 , Claudia Diaz <[email protected]> wrote:
> > On 26 Feb 2013, at 09:45:38, SM wrote: > >> Hi Claudia, >> At 13:15 25-02-2013, Claudia Diaz wrote: >>> If that entity is a gov/commercial organization, then "security" is the >>> term likely to be used for the properties you want to achieve, while for >>> those same properties "privacy" is the usual term when the entity is a >>> private individual. >> >> There is currently a security considerations section in every IETF RFC. The >> draft recommends having a privacy considerations section too. The question >> which can arise is in which section the perspective should be covered. In >> other words it is about how to disambiguate between security and privacy. > > > It's a tough one: I am not sure you can fully disambiguate the two terms if > you are considering general-purpose protocols. For the purposes of debate, I am going to try. Security problem: something unintended happened which gave an attacker/opponent access to data, systems, or capability which was not an expected part of the identified system/protocol. Privacy problem: operation of the system/protocol gives undesirable exposure of private information not strictly needed for the operation desired. If you combine them, then indeed the privacy problem may well get worse. So, for example, the fact that on the internet your IP address is exposed as part of the protocol also gives your respondent probable knowledge of your location, and hence time of day. No rules were broken to see your IP address or draw conclusions from it - there was no 'break-in' or security hole that was taken advantage of. David Singer Multimedia and Software Standards, Apple Inc. _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
