Thank you! Apologies for the hassle, I owe you beers:-) But seriously, thanks for sponsoring this and doing such a thorough job. S On 27 February 2014 11:51:21 GMT+00:00, IETF Chair <chair@xxxxxxxx> wrote: >The IESG has made a conclusion on draft-farrell-perpass [1]. This draft >was extensively discussed during the last call and within the IESG. As >you have seen, there has also been a number of document revisions and >changes based on the discussion. The last version reflected changes >that the IESG felt were necessary to move forward. > >It has not been an easy to task to determine what the final outcome >should be. The IESG took the approach that the document should reflect >community opinion, not just our opinions, even if many of us had strong >opinions on the topic. But even reflecting community opinion was not >easy. I have over 700 e-mails on this topic, some of those e-mails >focus on specific aspects, and the opinions and the draft changed as >the discussion progressed [2]. Nevertheless, I want to thank everyone >who has contributed on this topic. You really care about this topic, >and making the right recommendations at the IETF. Thank you. > >The IESG believed there eventually was consensus to publish the >document and our main question was whether the document should proceed >as initially planned (BCP) or whether it should be downgraded to >Informational. After a discussion we have concluded that there is >(very) rough consensus to publish the document as BCP. While there was >clearly no full consensus, we believe that issues were discussed >sufficiently to allow them to be addressed - even if no full agreement >with the entire group could be reached. > >There were three high-level concerns that I wanted to discuss in this >e-mail: > >1) Some forms of network management, traffic measurements, and similar >important tasks might be affected by a broad definition of pervasive >surveillance. We should obviously not make legitimate networking tasks >harder, and that was not the intent of the document. In the last >version, we believe that the the third last paragraph of Section 2 >clarifies this sufficiently. > >2) The document has too little specific guidance, making it difficult >to follow it as a rule (if the document is a BCP) and is easily subject >to mis- or over-application. The document is indeed thin on the >specific guidance. Its primary message is to say that pervasive >monitoring is yet another threat that we need to consider when working >on Internet technology. This seems inline with RFC 2026 notion that >BCPs can be "community's best current thinking on a statement of >principle". Also, we see positive signs about many of those more >specific details emerging in various documents. > >3) The document, particularly as a BCP, could be used to block >documents by ADs in an unreasonable fashion. There was considerable >concern about this. However, the IESG process for document approval is >most commonly not based on specific rules in existing RFCs, but rather >specific technical concerns of the individual AD reviewers. ADs >occasionally raise invalid issues on documents, and we expect (and get) >pushback when that happens. I have certainly made mistakes when filing >a Discuss. These are resolved through discussion. In more severe cases, >we have override procedures, appeals, discussions with the Nomcom, and >recall procedures to deal with these issues. In other words, if we >start from the assumption of a misbehaving AD, no new documents are >needed to file an inappropriate Discuss. Any AD can raise concerns >about pervasive monitoring under the current Discuss criteria, and this >document doesn't change that. We don't think this document will >significantly change things for the worse. However, the IESG felt that >there is an opportunity to clarify our procedures with regards to this >specific case: > >The IESG intends to make a change to its Discuss criteria statement >[3]. While the general thrust of the statement already indicates that >AD disagreement with informed WG consensus is a NOT an acceptable basis >for a discuss, we wanted to say that more explicitly in the specific >context of adequate consideration for pervasive monitoring issues. >Section 3.2 of the Discuss criteria statement is about criteria that >are not appropriate basis for a Discuss. We plan to say that while it >is generally necessary that IETF work considers the impact of specific >threats such as pervasive surveillance, informed and rational community >decisions about the particular protocols and the possible need for >mitigating mechanisms will be respected. > >In addition, there were a number of other issues that were discussed. >These included, for instance: > >- Request to not support more encryption, and a point that surveillance >can have good or useful motives. (Although there is little by way of >solutions in the current draft, and previous RFCs have already talked >at length about IETF position towards encryption.) > >- Argument that the document will lead to one concern dominating >others. (The draft says "... mitigate the technical aspects of PM, just >as we do for protocol vulnerabilities in general") > >- Architectural issues and separate legal/political remedies should be >brought up. (They are now.) > >- Whether to describe the issue as an attack or as indistinguishable >from an attack. (Current text is the result of the discussion started >by Stephen Kent.) > >- The textual style of the document is that it reads as "too offended". >(Some changes were done regarding this, but otherwise this comment was >considered to be in the rough.) > >- The document should include a checklist and more detailed actions. >(See 2 above. Also, various documents under development are more likely >to produce a more fine-grained guidance on specific issues.) > >This e-mail is a report of the IESG's conclusion on the matter. I will >proceed with the approval of the document in the next couple of days. > >References: > >[1] http://tools.ietf.org/html/draft-farrell-perpass-attack-06 >[2] >http://tools.ietf.org/rfcdiff?url1=draft-farrell-perpass-attack-02.txt&url2=draft-farrell-perpass-attack-06.txt >[3] https://www.ietf.org/iesg/statement/discuss-criteria.html > >Jari Arkko for the IESG