On Wed, Jan 4, 2023 at 6:34 AM Vittorio Bertola <vittorio.bertola=40open-xchange.com@xxxxxxxxxxxxxx> wrote:
Il 03/01/2023 11:27 CET John Mattsson <john.mattsson=40ericsson.com@xxxxxxxxxxxxxx> ha scritto:- Threat Model: The IETF has failed to update the Internet Threat Model to include compromised endpoints, misbehaving endpoints, and large centralized information sources. This is very disappointing as these things were, and still are major enablers for pervasive monitoring. Assuming compromise is an essential zero trust principle. The excellent IAB document RFC 7624 that talks about compromise and exfiltration deserve much more citations.
There were attempts to do this, and even a dedicated IAB program and mailing list, which was wrapped up without results just a few months ago.
Yes.
I still think this was a big fail; in fact, this implies that counteraction against surveillance capitalism practices can only happen elsewhere, at the regulatory level, as the IETF community either does not know what to do about it, or does not want to do anything about it.
I don't think this is true at all.
First, the IETF *is* working on issues around privacy and preventing various forms of surveillance capitalism. That's in part what initiatives like DoH, QUIC, TLS 1.3, ECH, OHAI, MASQUE etc. are about.
Second, many of the forms of surveillance that people are subject to just happen at a layer above where the IETF works, and more relevant to W3C, and of course many people in the IETF community participate there.
-Ekr
