At 09:48 03-12-2013, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:
- 'Pervasive Monitoring is an Attack'
<draft-farrell-perpass-attack-02.txt> as Best Current Practice
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2013-12-31. Exceptionally, comments may be
First of all, I'll thank Mary Barnes for the minutes.
According to the minutes "the [removed] has turned the Internet into a
giant surveillance platform". Quoting some extracts:
"This is the lessons of the [removed]'s attempt to collect contact
lists from the Internet backbone. If you saw the data, they got
about ten times as much information from [removed] users than from
[removed] users, even though I'm sure the ratio of users is the
reverse. The reason? [removed] uses SSL by default; [removed] does
not."
I don't see anything in draft-farrell-perpass-attack-02 which might
mitigate the above.
An interesting point from the minutes is:
"there was no cost to cooperate because your cooperation would be secret.
Now companies have to assume that it will be public. There's been huge
losses of sales, mostly foreign, hardware manufacturers, software, cloud
providers. And there is a PR benefit in fighting. And more companies
are realizing that."
It looks like it will be embarrassing for companies caught
collaborating with the adversaries.
The minutes mentioned that:
"We were safer when our email was at 10,000 ISPs than when it's
at ten. Fundamentally, it makes it easier for the NSA and others
to collect. So anything to disperse targets makes sense."
There was an interesting comment:
"The other thing is that we need to kind of actually work on
describing the threat model in a way that would be useful to
people doing work in the IETF."
And:
"First of all, I think it's pretty clear that in the past, we
have considered certain attacks improbable. I think it is now clear
that any attack we can imagine is sufficiently probable that we can --
should consider it."
And:
"All people want to protect the privacy. However, there are
tradeoffs. One danger I feel is, if we put too strong encryption
then probably some government would not try to connect Internet
directly."
Most of the discussion was about encrypting as much as possible. It
is difficult to determine whether going for full-blown encryption
will motivate some government not to allow direct connections to the
Internet. At the enterprise level, it is likely that the network
people will want to prohibit direct connections. Schools usually
seek to do that as students are not that studious when they are given
full access to the Internet.
At 20:45 03-12-2013, Jari Arkko wrote:
I would like to see this document as a high-level policy we have on
dealing with this particular type of vulnerabilities in the
Internet. A little bit like RFC 3365 "Danvers Doctrine" was on weak
vs. strong security. Please remember that the details and tradeoffs
for specific solutions are for our WGs to consider and not spelled
out here. The draft does say "where possible" - I do not want to
give the impression that our technology can either fully prevent all
vulnerabilities or do it in all situations. There are obviously
aspects that do not relate to communications security (like access
to content by your peer) and there are many practical considerations
that may not make it possible to provide additional privacy
protection even when we are talking about the communications part.
But I do believe we need to consider these vulnerabilities and do our best.
I don't see anything in draft-farrell-perpass-attack-02 which is a
little bit like the "Danvers Doctrine". Some of the alternatives are:
(i) Consider any attack as sufficiently probably and document it [1].
(ii) Have the draft discuss about centralization [2].
Regards,
-sm
1. Credits to the person who suggested that.
2. There was a comment about that.