It isn’t just about connections, though. Connections are just one example of resumable sessions. The things to worry about apply to all resumable sessions.
-=R From: QUIC <[email protected]> on behalf of Lucas Pardue <[email protected]> Date: Monday, June 7, 2021 at 7:20 PM To: Christian Huitema <[email protected]> Cc: "Roy T. Fielding" <[email protected]>, IETF QUIC WG <[email protected]>, Stephane Bortzmeyer <[email protected]>, Spencer Dawkins at IETF <[email protected]> Subject: Re: A question about user tracking with QUIC Hey Spencer, Christian, On Tue, Jun 8, 2021 at 2:58 AM Christian Huitema <[email protected]<mailto:[email protected]>> wrote: On 6/7/2021 6:50 PM, Spencer Dawkins at IETF wrote: Hi, Lucas, On Mon, Jun 7, 2021 at 4:22 PM Lucas Pardue <[email protected]><mailto:[email protected]> wrote: Hi, Speaking as an individual. Through the lens of server-side observation and linking of clients, I think Christian makes astute observations on some common concerns and QUIC-specific ones. Roy too makes some great additional observations about the context of discussion. Agreed. Very helpful. It seems to me this topic might well do with some time to draw out the considerations for documentation. However, the applicability draft is already through a second round of WGLC, and that timeline seems too tight for inclusion of such considerations. I would seem to me that the PEARG (Privacy Enhancements and Assessments Research Group) [1] is ideally suited towards housing effort on deeper/broader analysis of privacy aspects of protocol evolution (I might even stick a note in for multipath TCP as something that moves the needle on privacy of "legacy" application protcols). Ignoring the question of PEARG interest in this topic for now, I'm assuming that these observations would likely end up in an Informational RFC, is that right? An IRTF RG can publish Informational and Experimental RFCs, but not BCPs or standards-track documents that must be published in the IETF stream, so that would be an important question to answer early. That. The IRTF is not the IETF. IRTF research groups are best for analyzing difficult research issues. But if we end up doing something like "privacy considerations for QUIC clients", IMHO that belongs in the IETF, not the IRTF. Not disagreeing with either of you here. Although perhaps I was thinking more broadly that QUIC-specific concerns, and something more like "privacy considerations of long-lived and resumable connections for protocol design and user agents". This to me would appear to me to fit some of PEARG's charter goals such as: "Formulate better models for analyzing and quantifying privacy risks", "Offer guidance on the use of emerging techniques and new uses of existing ones", and "engage with other organisations e.g. PETS, SOUPS, W3C and the Privacy Interest Group therein". Others could disagree with me, and I'd encourage them to express an opinion so we can figure it all out. I guess I was speculating that the process of work in an RG might actually help us determine the right type of text (if anything) that should be written for affected protocols. That could provide input into concrete consideration for protocol designers or deployers, best written in an IETF WG. The best place for QUIC work is this WG. Cheers, Lucas
