Yeah, I think it's quite reasonable for a shepherd to ask the developers of a spec how they have considered PM, and see if it at least passes a sniff test.
Eliot On 1/15/14 2:10 PM, Stephen Farrell wrote: > > On 01/14/2014 10:00 PM, Melinda Shore wrote: >> On 1/14/14 12:45 PM, Fred Baker (fred) wrote: >>> So the question in the shepherd's report should not be "tell me you >>> thought about the EU Data Retention Initiative and whether your >>> protocol's data identifies an individual". It should be "what >>> personal, equipment, or session identifiers, encrypted or otherwise, >>> are carried in your protocol? How might they be correlated with >>> offline data or otherwise used to infer the identity or behavior of >>> an individual?" >> I agree - I think this is a useful framing, beyond the question >> of actual traffic inspection. It's pretty clear that there's >> been a lot of data mining, as well, and we haven't thought very >> carefully about what we may be leaking inadvertently. This is >> particularly a concern as efforts like geonet start to ramp >> up. > I do like the idea that shepherds would report on this topic > (or more generally on security and privacy) in their write-ups, > but have a genetic dislike of the way we used to have a > 1000-point questionnaire for shepherds to fill in. And a lot > of the current shepherd write-ups we get tend to be out of > date wrt e.g. IPR so I'm pretty convinced that we shouldn't > hardcode shepherd write-ups into RFCs on this topic, since > that level of process is liable to change relatively often. > OTOH, as a "new" thing for WGs to consider, it might be > quite useful if shepherds are prompted to not forget about > pervasive monitoring. > > So I'm in two minds here really. > > I figure that this is something where we'll have to learn as > we go. Maybe we should look at a tool that randomly (but > not uniformly randomly) picks a small number of hard questions > from a long list and asks the shepherd to answer those. Sort > of a write-up bingo;-) > > I'd be interested if someone wanted to start work on some > WG-chair/shepherd guidance for how to consider pervasive > monitoring. That'd likely take a while to get baked, and > would maybe end up not (just) as an RFC, but as training > material and/or an IESG statement or something, but could > easily start as an I-D. Any takers? > > S > > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
