On 25/04/2018 01:25, Ted Lemon wrote:
> On Apr 24, 2018, at 9:11 AM, <[email protected]>
> <[email protected]> wrote:
>> What sort of trade-offs can be added to Dave’s document? Do you have in mind
>> something like:
>> (1)
>> - Warranting that logging may be misused for tracking users?
>> - Logging information can be used for profiling users?
>> - Not logging is also an option?
>
> I don't think Dave's document is a good starting point. Amelia (I think it
> was Amelia) already pointed out a number of things to talk about: for
> example, if you are going to log source ports, it should be possible to log
> them only when doing so is necessary, and not log them at other times.
I have trouble with that. When a user complains that "my transaction at 23:59
UTC
yesterday failed", it's too late to switch on logging. So I think in practice,
logging
for problem debugging needs to be switched on 24x7. Similarly for abuse
detection,
since you can't predict when abuse will happen. I don't think there's a get out
of jail card here. The problem is what happens to the logged data later, and
that
is a regulatory issue that the IETF can do absolutely, utterly nothing about.
Brian
> This is a meaningful technical point that would have clear implications in
> the code that got written. It's not just a platitude to put in the privacy
> considerations section. That's what I have in mind too.
>
> So yes, of course we should say "there are problems with logging source
> ports, and these are some examples of the problems doing so can cause."
>
> TBH, if I were an open source implementor, I would just ignore any advice
> about logging source ports, so if you want the document to have any relevance
> in that space, you have to give such people a reason for doing it and a basis
> for doing as little harm as possible.
>
>
>
>
> _______________________________________________
> Int-area mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/int-area
>
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
