Re: Last call comments: draft-farrell-perpass-attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Yoav,

On 12/15/2013 6:39 AM, Yoav Nir wrote:

On Dec 14, 2013, at 6:49 PM, Hector Santos <hsantos@xxxxxxxx> wrote:

Personally, I think all (new) IETF documents need a greater review in regards to their ethical and moral impact on society.

And to think that less than 9 years ago, RFC 4041 was considered an April Fool's RFC.

Yoav

Its a new normal, I suppose. RFC2821 once believed that "an arrogant user" was a small email problem:

   7.1.  Mail Security and Spoofing

   This specification does not further address the authentication issues
   associated with SMTP other than to advocate that useful functionality
   not be disabled in the hope of providing some small margin of
   protection against an ignorant user who is trying to fake mail.

Its update, RFC5321, still believes its a small problem but the user is no longer arrogant:

   This specification does not further address the authentication issues
   associated with SMTP other than to advocate that useful functionality
   not be disabled in the hope of providing some small margin of
   protection against a user who is trying to fake mail.

We understand why it was done, but really, how silly was all that to begin with!? This (spoofing potential) was a known issue since RFC821 and it predated with other mail networking protocols was well!

The mindset does need to change.

Of course, the dilemma is how does the IETF community get involved in the growth of applications increasing leverage data that was once considered private or out of bounds for transmission? How does it provide its input?

Good example, did Apple open a can of worms, "Pandora's Box" with its iPhone 5S "Touch ID" technology? Does this introduce all sorts of future pervasive privacy, security, monitoring, tracking, identify theft, etc, problems at all levels? The BI value of this will be tremendous, but commercially and for national security. This automation in user identification will be leverage, no doubt, MBA 101. Bank it. Consider, can the government issue a court order to obtain the database of the billions of Touch ID fingerprint recordings in the name of security, searching for person of interest Apple Network of users? Surely, this issue will be before us one day.

I'm just winging it, perhaps an IETF security-based I-D that suggest what kinds of data MUST|SHOULD|MAY NOT collected, stored nor transmitted over the internet? Already done?

Anyway, I don't think every author, developer can muster all system level things that can be considered. This is why we do need the "Internet/IETF Elders" to be involved in the ethical and moral reviews of these super fast tracked documents, and mind you, now increasingly proposed as a "Standard" as opposed as just informational, new documents to see if the docs themselves are not ultimately April's fools jokes.

It probably will not change much, but it will at least make people (future developers) think, a few times, about what they are doing. Perhaps it will just slow it down. I'm sure many of us has gone thru this in the past where we could of been billionaires if we just were not so god darn ethical with user private data. We didn't expose it, not because we know it was not possible, but it was just wrong to do so.

Thanks

--
HLS






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]