On Fri, Jul 1, 2011 at 12:12 PM, Joel Jaeggli <joe...@bogus.com> wrote: > > On Jul 1, 2011, at 11:55 AM, Scott Brim wrote: > >> On Fri, Jul 1, 2011 at 14:34, Joel Jaeggli <joe...@bogus.com> wrote: >>> >>> On Jul 1, 2011, at 11:07 AM, Martin Rex wrote: >>>> james woodyatt wrote: >>>>> >>>>> There is nothing about NAT or >>>>> dynamic subscriber IP assignment that provides any mitigation >>>>> whatsoever of the risks >>>> >>>> I'm more than a little concerned by the message that you're sending >>>> here. European legislators have enacted a "E-Privacy Directive" >>>> also dubbed "European Cookie Directive" in order to protect the >>>> privacy of citizens, and you're suggesting here that the IETF >>>> should actively subvert this legislation and similar ongoing >>>> legislative initiatives in the US by assigning static IPv6 >>>> addresses to home DSL subscribers so that cookies are completely >>>> obviated and everyone can be trivially tracked based on his >>>> static IP-Address. This means you want to make IPv6 addresses >>>> and all communications with that address direct personally >>>> identifiable information, something for which a "must informed >>>> beforehand", let alone an "opt opt" is technically impossible? >>> >>> The IETF has several times veered away from the deep water where internet >>> standards cross paths with regulatory requirements. >>> >>> http://tools.ietf.org/html/rfc2804 >>> >>> We are not legal experts we are not qualified to interpret the statutory >>> requirements of various nation states, our own or others. We need to be >>> clear on what is in vs out of scope for IETF work. Focus on what would be >>> percieved to be in the best interests the users and the network. Nation >>> states will do whatever they do and sovereign by definition can impose >>> whatever mandate they find necessary on their network operations and >>> citizens. >> >> Joel, the issue is very clear: what the IETF does must not make >> privacy and confidentiality impossible. It's not just some arbitrary >> regulation from a committee, there are whole cultures who take this >> very seriously. You cite the wiretapping decision -- note we didn't >> make wiretapping impossible, we just didn't support it. In this case >> it is very easy to make privacy (the right to control personal >> information) and confidentiality (the right to know that private >> information you share with one party will be kept within that scope) >> impossible -- that's a position you may not take as someone making the >> Internet work, since the ultimate stakeholders are those humans out at >> the edges. See also "Changes to Internet Architecture Can Collide >> With Privacy" <http://www.ietf.org/proceedings/79/slides/intarea-3.pdf> >> for a discussion of mobility. > > You and I are in complete agreement when is comes to not making privacy or > confidentiality impossible... > > Where I object strenuously is when a directive wether it comes from the EU, > the USA or the PRC becomes the consideration for framing a debate. The > dictates of sovereigns are likely effectively impossible to reconcile if > included fully in this space. >
Bases some "Wikipedia research", there is some regulations about browser cookies, and no mention of IP addresses. There is some mention about web servers not retaining info without an opt-out clause... My analysis is very high level, i don't have the details, but at first brush it seems like there is some conflation going on here between cookies and IP addresses and what a home network looks like vs what web servers retain in their logs. I fail to see how this an IPv4 vs IPv6 issue? Static vs Dynamic? Cameron > in 2804 the summary position is quite succinct in this regard: > > The IETF has decided not to consider requirements for wiretapping as > part of the process for creating and maintaining IETF standards. > > We know therefore without equivocation where a doucment like the following > fits in the IETF standards context. > > http://tools.ietf.org/html/rfc3924 > > we do not disallow the publication of such a document, in fact we should > enoucorage it. but we also don't design to the soverign's requirements in the > protocol specific. > >> When you think "oh right, I have to come up with a security >> considerations section", include privacy and confidentiality >> implications in your checklist of things to think about. > > In this context if we fail that badly we have a problem. > >> As to the technical issues here, higher layers don't need to use IP >> addresses as identifiers, they have their own. The only layer that >> needs to care about IP addresses is the IP layer itself. Privacy >> addresses are well-defined and well-deployed. The only issue with >> using them is monitoring and logging activity. The first hop router >> can make the necessary correlations, but some access providers think >> that's expensive. Lawsuits over breach of confidentiality can be even >> more expensive. So is reworking protocols when a third of the world >> won't use them. >> >> Scott >> > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
