Hi Hannes, Thanks for writing draft-tschofenig-perpass-surveillance-00. I wish I could muster the powers needed to make text.
Generally, I lack information about what's often called meta-data or traffic data and the key issue here -- linkability. I don't really know what I want to say here. I started a private thread with Stephen about a month ago but then dropped the ball. It's quite broad and I don't know how to tackle it really. Should 2.2 mention IPv4? Widely (heh) deployed protocol leaking meta-data by design. I think it should be touched upon even if we don't expect changes to it. Maybe that's exactly why we must mention it somewhere -- some people do not grasp it while others might be hesitant to touch the issue. IPv6 is another one. I bet there are more. Typos and other minor things. - Is the expire date 2014-04-24 correct? - 2.1. s/a a/a/1 - 2.1. s/'crypto-aglity'/'crypto-agility'/1 - 2.2. s/exploided/exploited/1 - 2.4. last sentence "With the juridiction [...]" needs some love. - 3. copied from another document - 6. [10] and [11], swap Nadia and IETF Http vs https. (Flogging a dead horse?) - 6. the following urls could and should be https rather than http: http://packetstormsecurity.com/files/105499/Browser-Exploit-Against-SSL-TLS.html http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/ http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters - 6. (and other places) the following urls should be https even if they redirect to https, both for educational reasons and for security/privacy (not leaking the full url, not having to trust that a hijacker doesn't eat the redirect): http://www.ietf.org/mail-archive/web/perpass/current/maillist.html http://datatracker.ietf.org/drafts/current/ - 6. (and other places) the following urls should have a warning about not being https or perhaps have their content mirrored on a site providing https (with a proper certificate): http://boingboing.net/2013/08/05/anti-tor-malware-reported-back.html http://fileperms.org/whatsapp-is-broken-really-broken/ (bad certificate) http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ (bad certificate) http://www.tschofenig.priv.at (bad certificate) http://trustee.ietf.org/license-info (404) _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
