SM, > In the wake of the revelations about surveillance there has been some > concerns about RFC 6302. I would be grateful if the authors of RFC > 6302 could review the comments at > http://www.ietf.org/mail-archive/web/ietf-privacy/current/msg00454.html > and provide some feedback.
not one of the authors, but still: the document basically says that _if_ you log, you ought to log port numbers (and timestamps) in addition to IP addresses. The question whether to log (the _if_ above) is, in my reading, and hindsight, addressed (by way of abstention) by the paragraph starting: Discussions about data-retention policies are out of scope for this document. [...] Of course, RFC 6302 is easily read as the IETF recommending "full" logging. I doubt that it is in the best interest of the IETF to be misinterpreted that lightly, but that was already the fact in June 2011. Changing the message to "IP address and timestamp might not be sufficient to identify a system or user" and not calling it a "BCP" has an odd chance of mitigating the misunderstandings. An IETF position on "do or do not log" is likely irrelevant given (competing, conflicting) regulatory requirements and legislation/court rulings on data protection. -Peter _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
