On Fri, Jul 1, 2011 at 12:12 PM, Joel Jaeggli <joelja@xxxxxxxxx> wrote: > > On Jul 1, 2011, at 11:55 AM, Scott Brim wrote: > >> On Fri, Jul 1, 2011 at 14:34, Joel Jaeggli <joelja@xxxxxxxxx> wrote: >>> >>> On Jul 1, 2011, at 11:07 AM, Martin Rex wrote: >>>> james woodyatt wrote: >>>>> >>>>> There is nothing about NAT or >>>>> dynamic subscriber IP assignment that provides any mitigation >>>>> whatsoever of the risks >>>> >>>> I'm more than a little concerned by the message that you're sending >>>> here. European legislators have enacted a "E-Privacy Directive" >>>> also dubbed "European Cookie Directive" in order to protect the >>>> privacy of citizens, and you're suggesting here that the IETF >>>> should actively subvert this legislation and similar ongoing >>>> legislative initiatives in the US by assigning static IPv6 >>>> addresses to home DSL subscribers so that cookies are completely >>>> obviated and everyone can be trivially tracked based on his >>>> static IP-Address. This means you want to make IPv6 addresses >>>> and all communications with that address direct personally >>>> identifiable information, something for which a "must informed >>>> beforehand", let alone an "opt opt" is technically impossible? >>> >>> The IETF has several times veered away from the deep water where internet standards cross paths with regulatory requirements. >>> >>> http://tools.ietf.org/html/rfc2804 >>> >>> We are not legal experts we are not qualified to interpret the statutory requirements of various nation states, our own or others. We need to be clear on what is in vs out of scope for IETF work. Focus on what would be percieved to be in the best interests the users and the network. Nation states will do whatever they do and sovereign by definition can impose whatever mandate they find necessary on their network operations and citizens. >> >> Joel, the issue is very clear: what the IETF does must not make >> privacy and confidentiality impossible. It's not just some arbitrary >> regulation from a committee, there are whole cultures who take this >> very seriously. You cite the wiretapping decision -- note we didn't >> make wiretapping impossible, we just didn't support it. In this case >> it is very easy to make privacy (the right to control personal >> information) and confidentiality (the right to know that private >> information you share with one party will be kept within that scope) >> impossible -- that's a position you may not take as someone making the >> Internet work, since the ultimate stakeholders are those humans out at >> the edges. See also "Changes to Internet Architecture Can Collide >> With Privacy" <http://www.ietf.org/proceedings/79/slides/intarea-3.pdf> >> for a discussion of mobility. > > You and I are in complete agreement when is comes to not making privacy or confidentiality impossible... > > Where I object strenuously is when a directive wether it comes from the EU, the USA or the PRC becomes the consideration for framing a debate. The dictates of sovereigns are likely effectively impossible to reconcile if included fully in this space. > Bases some "Wikipedia research", there is some regulations about browser cookies, and no mention of IP addresses. There is some mention about web servers not retaining info without an opt-out clause... My analysis is very high level, i don't have the details, but at first brush it seems like there is some conflation going on here between cookies and IP addresses and what a home network looks like vs what web servers retain in their logs. I fail to see how this an IPv4 vs IPv6 issue? Static vs Dynamic? Cameron > in 2804 the summary position is quite succinct in this regard: > > The IETF has decided not to consider requirements for wiretapping as > part of the process for creating and maintaining IETF standards. > > We know therefore without equivocation where a doucment like the following fits in the IETF standards context. > > http://tools.ietf.org/html/rfc3924 > > we do not disallow the publication of such a document, in fact we should enoucorage it. but we also don't design to the soverign's requirements in the protocol specific. > >> When you think "oh right, I have to come up with a security >> considerations section", include privacy and confidentiality >> implications in your checklist of things to think about. > > In this context if we fail that badly we have a problem. > >> As to the technical issues here, higher layers don't need to use IP >> addresses as identifiers, they have their own. The only layer that >> needs to care about IP addresses is the IP layer itself. Privacy >> addresses are well-defined and well-deployed. The only issue with >> using them is monitoring and logging activity. The first hop router >> can make the necessary correlations, but some access providers think >> that's expensive. Lawsuits over breach of confidentiality can be even >> more expensive. So is reworking protocols when a third of the world >> won't use them. >> >> Scott >> > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf