On Jul 1, 2011, at 11:55 AM, Scott Brim wrote: > On Fri, Jul 1, 2011 at 14:34, Joel Jaeggli <[email protected]> wrote: >> >> On Jul 1, 2011, at 11:07 AM, Martin Rex wrote: >>> james woodyatt wrote: >>>> >>>> There is nothing about NAT or >>>> dynamic subscriber IP assignment that provides any mitigation >>>> whatsoever of the risks >>> >>> I'm more than a little concerned by the message that you're sending >>> here. European legislators have enacted a "E-Privacy Directive" >>> also dubbed "European Cookie Directive" in order to protect the >>> privacy of citizens, and you're suggesting here that the IETF >>> should actively subvert this legislation and similar ongoing >>> legislative initiatives in the US by assigning static IPv6 >>> addresses to home DSL subscribers so that cookies are completely >>> obviated and everyone can be trivially tracked based on his >>> static IP-Address. This means you want to make IPv6 addresses >>> and all communications with that address direct personally >>> identifiable information, something for which a "must informed >>> beforehand", let alone an "opt opt" is technically impossible? >> >> The IETF has several times veered away from the deep water where internet >> standards cross paths with regulatory requirements. >> >> http://tools.ietf.org/html/rfc2804 >> >> We are not legal experts we are not qualified to interpret the statutory >> requirements of various nation states, our own or others. We need to be >> clear on what is in vs out of scope for IETF work. Focus on what would be >> percieved to be in the best interests the users and the network. Nation >> states will do whatever they do and sovereign by definition can impose >> whatever mandate they find necessary on their network operations and >> citizens. > > Joel, the issue is very clear: what the IETF does must not make > privacy and confidentiality impossible. It's not just some arbitrary > regulation from a committee, there are whole cultures who take this > very seriously. You cite the wiretapping decision -- note we didn't > make wiretapping impossible, we just didn't support it. In this case > it is very easy to make privacy (the right to control personal > information) and confidentiality (the right to know that private > information you share with one party will be kept within that scope) > impossible -- that's a position you may not take as someone making the > Internet work, since the ultimate stakeholders are those humans out at > the edges. See also "Changes to Internet Architecture Can Collide > With Privacy" <http://www.ietf.org/proceedings/79/slides/intarea-3.pdf> > for a discussion of mobility.
You and I are in complete agreement when is comes to not making privacy or confidentiality impossible... Where I object strenuously is when a directive wether it comes from the EU, the USA or the PRC becomes the consideration for framing a debate. The dictates of sovereigns are likely effectively impossible to reconcile if included fully in this space. in 2804 the summary position is quite succinct in this regard: The IETF has decided not to consider requirements for wiretapping as part of the process for creating and maintaining IETF standards. We know therefore without equivocation where a doucment like the following fits in the IETF standards context. http://tools.ietf.org/html/rfc3924 we do not disallow the publication of such a document, in fact we should enoucorage it. but we also don't design to the soverign's requirements in the protocol specific. > When you think "oh right, I have to come up with a security > considerations section", include privacy and confidentiality > implications in your checklist of things to think about. In this context if we fail that badly we have a problem. > As to the technical issues here, higher layers don't need to use IP > addresses as identifiers, they have their own. The only layer that > needs to care about IP addresses is the IP layer itself. Privacy > addresses are well-defined and well-deployed. The only issue with > using them is monitoring and logging activity. The first hop router > can make the necessary correlations, but some access providers think > that's expensive. Lawsuits over breach of confidentiality can be even > more expensive. So is reworking protocols when a third of the world > won't use them. > > Scott > _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
