On 12/16/2013 09:07 PM, Andrew Sullivan wrote: > On Mon, Dec 16, 2013 at 08:39:47PM +0000, Stephen Farrell wrote: > >> I disagree. Even if X% of people agreed or approved or authorized >> the attack, it would still be an attack. > > But this leads you immediately down the path to the objection that > inspired my suggestion: lots of things that you might _want_ for > yourself qualify as an attack under the draft as written. Google > analytics is not an attack even under the slightly funny meaning of > "attack" we're using here; it's a management tool. The draft actually > makes this point, in that it notes that there's a tension between > making networks managable and mitigating pervasive monitoring. I > think it's necessary to add some sort of indication of what principles > can be used to resolve that tension. Google analytics is not an IETF protocol though. More generally, I don't think we can fully characterise that tension as it'll have to be worked out as we do the work on real protocols and learn what we learn. I figure the right thing for now is to recognise that tension and if it does resolve itself in future into some nice sharp set of distinctions then we can update the BCP then. I doubt it will though. But that's ok. And don't forget that we are not here saying that all IETF protocols MUST be proof against pervasive monitoring - email for example isn't and we're not going to stop sending mail. So I think its just fine that we figure this out over time. S. > > Best regards, > > A >