Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hiya,

For the record...

On 12/13/2013 01:13 PM, Eliot Lear wrote:
> Stephen,
> 
> On 12/13/13 2:04 PM, Stephen Farrell wrote:
>>
>> Anyway, how's this for a suggestion, say placed somewhere near
>> the end of section 2:
>>
>>    Working groups and other sources of IETF specifications
>>    need to be able to describe how they have considered
>>    pervasive monitoring, and if the attack is relevant to
>>    their work, to be able to justify related design
>>    decisions.
>>
>>    This does not mean that a new "pervasive monitoring
>>    considerations" is required in Internet-drafts or
>>    other documentation - it simply means that, if asked,
>>    there needs to be a good answer to the question "is
>>    pervasive monitoring relevant to this work and if so
>>    how has it been addressed?"
>>
>>
> 
> Thank you, that is precisely the sort of text I was looking for.

I just has a chat with Stewart Bryant about these changes
and he suggested one further tweak to the above. His concern
was that we shouldn't e.g. jump on the first minor new spec
tweak to come out of some WG and insist that the WG go back
and fix years of earlier work to be better at dealing with
the pervasive monitoring attack, if that spec is just say
defining some new TLV or mail header field or something
and doesn't have anything to do with the attack really.

So that'd be something like:

    Working groups and other sources of IETF specifications
    need to be able to describe how they have considered
    pervasive monitoring, and if the attack is relevant to
    the work to be published, to be able to justify related
    design decisions.

    This does not mean that a new "pervasive monitoring
    considerations" is required in Internet-drafts or
    other documentation - it simply means that, if asked,
    there needs to be a good answer to the question "is
    pervasive monitoring relevant to this work and if so
    how has it been addressed?"

The change is s/their work/the work to be published/
which seems like a good change to me so I'll incorporate
that.

The intent here is not to hand out a get-out-of-jail card
but rather to encourage us to ask the questions about
pervasive monitoring at the appropriate times and not
have it as a big stick that's used to beat up every
innocent little Internet-draft:-)

Cheers,
S.
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]