On 12/05/2013 02:41 PM, Josh Howlett wrote: > Stephen, > > Yes I agree its necessary, but its not the hard part of the problem. > We are focusing on implementation detail, Great, I think we agree on that, maybe with slightly different emphases. > at the expense of the meaty > political problems; namely, (1) establishing the level of monitoring > civil society is willing to tolerate (on the spectrum none to > pervasive) and (2) building whatever legislative consensus is > necessary to enforce that. Those may be good things for folks to do in various other places, but I don't think they're for the IETF to do. Cheers, S. > Moving straight to (3) the solution space > may deliver specs and running code, but not the motivations to deploy > it (or worse, incentives not to). I applaud the effort, even if it > only serves to incrementally improve on the status quo, but given > your adversaries I fear it is already doomed before it has started. > Seriously, best of luck anyway :-) > > Josh. ________________________________ From: Stephen > Farrell<mailto:stephen.farrell@xxxxxxxxx> Sent: 05/12/2013 12:41 > To: Josh Howlett<mailto:Josh.Howlett@xxxxxx> Cc: > perpass<mailto:perpass@xxxxxxxx>; IETF > Discussion<mailto:ietf@xxxxxxxx> Subject: Re: [perpass] Commnets on > draft-farrell-perpass-attack-00 was RE: > perens-perpass-appropriate-response-01 > > > Josh, > > On 12/05/2013 12:28 PM, Josh Howlett wrote: >> Hi Stephen, >> >> I absolutely agree that the technical work is necessary, but it is >> not sufficient. > > So you agree this draft is necessary? If so, good. > > Nobody (sensible) claimed it was sufficient by itself to stop > pervasive monitoring. It can nonetheless improve the Internet in any > case, both when considering the pervasive monitoring threat and other > threats. If e.g. the UTA WG is chartered later today then what > they're going to do, which is directly spurred by this overall > discussion, could significantly improve e.g. SMTP security. > >> The political environment controls the legal and regulatory >> environment within which CEOs, their lawyers, and the other minions >> whose role is to minimise corporate risk exposure, take the >> decisions on which products and services reach the market. >> >> The technical community can obviously choose to do the work >> regardless, but in the absence of conformant products and services >> it runs the risk of being a paper exercise. > > That seems to apply to any new work that anyone does in the IETF and > is not a reason to do nothing. > >> I am sympathetic to your argument that the technical work could >> happen in advance of policy, > > That is not my argument. The technical work should happen and for > technical reasons. > >> but that hands the advantage to the adversary who can use this >> intelligence to advance blocking political measures. > > Game theory is fun, but not particularly productive for this draft > IMO. That'd be more relevant for specific bits of protocol work where > it might be the case that one could consider how an adversary could > react to a particular mitigation for this or other threats. At the > level of this draft I don't think there's anything useful to be done > in that respect. > > Cheers, S. > >> >> I also agree that it is unfortunate that none of the numerous >> acronyms that claim to have a remit in Internet policy are working >> with the technical community. In the majority of the capitols of >> Europe there is clearly a political appetite to roll pervasive >> monitoring back, and these acronyms would be pushing on an open >> door (and, in fairness, perhaps they already are but it is not >> obvious to the outside world). It is not far from Geneva to >> Brussels... >> >> Josh. >> >> On 05/12/2013 11:09, "Stephen Farrell" <stephen.farrell@xxxxxxxxx> >> wrote: >> >>> >>> Josh, >>> >>> On 12/05/2013 10:53 AM, Josh Howlett wrote: >>>> >>>> I fully support action to increase security, where it responds >>>> to the prevailing threat environment. But it will be a >>>> perpetuation of the naivety that has characterised this debate >>>> to think that this alone will halt pervasive monitoring, >>>> because the threat is not technical in nature. >>> >>> Personally, I think anyone using the argument that "you can't >>> solve the problem therefore do nothing" is talking about the same >>> amount of nonsense as anyone who says "the IETF can halt >>> pervasive monitoring." >>> >>> You don't quite say either of those above, but neither do you >>> acknowledge that the draft in question, and all the sensible >>> discussion (which is far from all the discussion;-) around that >>> fully acknowledges that the technical things that can and should >>> be done are only part of the story. >>> >>>> The technical response must be coordinated with a political >>>> response, or else the perpetrators will find political means to >>>> route around the technical measures. >>> >>> I disagree with "must be coordinated" for various reasons. >>> >>> Given the time it takes for us to do our part, which is measured >>> in years before we get good deployment, imposing a requirement to >>> start with coordination would mean doing nothing ever. >>> >>> Secondly, with whom would we coordinate? Again, trying to impose >>> a requirement for coordination with a non-existent Internet-wide >>> political entity is tantamount to doing nothing. >>> >>> If some other folks outside the IETF are working on the same >>> issues that'll be good or bad, and for some such activities >>> it'll be useful for us to know about and consider them. And maybe >>> it'll be useful for others to know what we're up to, but we >>> should not wait. >>> >>>> The political response shouldn't be organised within the IETF, >>>> but it does need to liaise with those responsible for doing >>>> that. >>> >>> "The" political response? You expect only one? Again, I don't >>> think we should hang around waiting - we should document the >>> consensus from Vancouver and then follow that through in our >>> normal work within working groups and elsewhere - considering >>> threats, including this one, as we develop protocols. >>> >>>> Unfortunately I am not observing any movement by any of the >>>> other parties within our wonderful multi-stakeholder system >>>> that you would think would be notionally responsible for this. >>>> My fear is that they are opting to drink the technology >>>> Kool-Aid, to avoid grasping the political nettle. That is what >>>> should be concerning us right now. >>> >>> Fully disagree. Its us should be grasping nettles and working to >>> improve the security and privacy properties of our protocols. >>> >>> Regards, S. >>> >> >> >> Janet(UK) is a trading name of Jisc Collections and Janet Limited, >> a not-for-profit company which is registered in England under No. >> 2881024 and whose Registered Office is at Lumen House, Library >> Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. >> 614944238 >> >> _______________________________________________ perpass mailing >> list perpass@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/perpass >> >> > > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a > not-for-profit company which is registered in England under No. > 2881024 and whose Registered Office is at Lumen House, Library > Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. > 614944238 > > _______________________________________________ perpass mailing list > perpass@xxxxxxxx https://www.ietf.org/mailman/listinfo/perpass >