I've just read draft-farrell-perpass-attack-02 again. It carefully doesn't discuss political, legal or societal issues. It discusses monitoring and surveillance as a security threat model and states that the IETF will specify technical counter-measures to this threat model. That is well within the IETF's remit. Whether implementors and operators choose to implement the resulting counter- measures is a separate question that does have political, legal or societal aspects.
I think that Bruce's concerns apply to deployment, not to the IETF's work. Regards Brian On 05/12/2013 00:13, Stephane Bortzmeyer wrote: > [List of recipients trimmed to be more reasonable.] > > On Tue, Dec 03, 2013 at 05:25:40PM -0800, > Bruce Perens <[email protected]> wrote > a message of 37 lines which said: > >> I have written a reply to draft-farrell-perpass-attack-00 >> Please read it at >> [1]http://perens.com/works/ietf/perpass/appropriate-response/01.pdf > > I fully agree with the idea that the problem is *political* and should > receive a *political* response. However, as you noted, IETF is not a > political forum and is not the right place for this sort of > action. But, if the *main* response should be political, the IETF can > still *help* by making mass surveillance more difficult. It is a > general principle in security: make laws but do not neglect technical > measures to make the lives of the attackers more difficult. We have > laws against burglary, for instance, but we still develop better > locks, and for good reasons. So, yes, the work of perpass is perfectly > legitimate and reasonable. > >> Attacks on consumer privacy by commercial entities are generally >> within the domain of civil law. > > IANAL but this does not seem to me to be true. In my country, > collecting illegal personal data is a criminal offense. > >> Technical attacks by sovereign powers are in general justified by >> those powers as being part of law enforcement. The justice of such >> enforcement is the topic of political discourse and the >> courts. [...] Technical responses to attacks on individual privacy >> by sovereign entities may be held as acceptable, criminal, or even >> treasonous conduct by those entities. [...] The proposers and >> implementers of systems intended to hinder law enforcement are >> arguably a criminal or treasonous conspiracy. > > But the Internet is international. My surveillance (not me, > personally, but because it monitors everyone) by the NSA is certainly > illegal in my country. Whether or not it is legal in the USA is > irrelevant to me. Therefore, any technical measure against it is fair > game. > >> None of these things [static JS or CSS files] are secret and there >> is little reason to obscure an individual's access to them. > > Excuse me, but it seems you did not participate in the many > discussions about privacy in the last ten years. It is now well-known > that any information can be processed and used to find out about > users. Monitoring access to these files is one of the simplest means > to deduce (from the pattern of access) what an user is doing. There > are therefore many reasons to obscure it. > >> There is also an energy cost: the electricity wasted by all of this >> encryption would likely result in megatons of additional carbon >> emitted from the burning of fossil fuel for electric generation, as >> well as otherwise-avoidable social and economic costs of renewable >> energy sources. > > Is there a serious comparison somewhere about the relative cost of > encryption when we routinely access HD video files? I am not sure at > all that encryption is the main cost. > >> Unfortunately, encryption doesn't help with this. The information >> being collected comes predominantly from web servers and browser >> tool bars, which are on the ends of the communication where it is >> necessarily decrypted. The server owners and software providers >> profit from using or selling user data. > > Indeed, that's the main weakness of RFC 6973. But it is not a reason > to avoid encryption, because there are still threats by sniffing > third-parties. We have many holes by which private information > leak. We try to plug these holes. All of them. (Remember that the NSA > has PRISM, with the participation of the big Web silos like Google or > Facebook, but also has MUSCULAR - spying on unencrypted links - > because they prefer to have belts *and* suspenders. Following this > line, we have to secure both the endpoints and the links.) > >> It's almost universally held within the working groups that users >> can't be responsible for their own security, > > It is not IETF-specific, it is the opinion of most security experts, > backed by many observations and studies. This is not contempt, just > the recognition that a message "X.509 certificate has the wrong > issuer, do you want to continue?" is not easy to analyse and to act > upon, even for an expert. It is not fair to ask Mr Smith to decide > based on this information. He knows nothing about security (and that's > fine with me, I don't blame him for that, I know nothing about Mr > Smith's own area of expertise) > > (Go to <https://ietf.org/> if you want a good laugh.) > > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
