On Tue, Feb 7, 2017 at 12:27 PM, Yoav Nir <ynir.ietf@xxxxxxxxx> wrote:
Reviewer: Yoav Nir
Review result: Has Nits
Hi
The document is well-written and understandable, but a few things
about it seem wrong:
Section 3 describes data minimization as "one of the core mitigations
for the loss of confidentiality". However, the only example given
where data minimization is used to mitigate confidentiality loss is
when browsers suppress cookies in private mode. The rest of the
examples given (HTTP proxies, recursive DNS, VPN) are such where the
data minimization is incidental to some other function. Nobody
deployed the HTTP proxy or the DNS server in order to enhance
privacy.
So, I would challenge "nobody" on the HTTP proxy front, but that's not the important piece here. The important piece is they generally do have a net privacy positive effect. That privacy positive effect is eliminated when metadata that would be concealed by normal operation is added back in. That's the converse of your statement: no one built an HTTP proxy or recursive DNS server in order to supply metadata.
Is there a specific place in the doc where more text would make this point clearer?
The HTTP proxy example in particular is not convincing. HTTP is
designed to work without proxies. Any data minimization provided
incidentally by a proxy is nothing that can be counted on,
I'm not sure what you mean by "counted on" here. Do you mean that you can't know the pool of other users and thus the number of times you'll be served from cache rather than getting new data?
so a
prohibition on restoring said data (especially in the case of a
server-side load balancer) is just not convincing. OTOH in DNS
recursive resolvers that hide the origin IP of the client are the norm
- Authoritative servers hardly ever get to see real addresses of
clients. In that case exposing the real IP address of the client shows
data that was not there before.
I believe the text should differentiate between cases where a network
element is not part of the normal function of the protocol and works
to undo the accidental data minimization that it causes,
So, I think "accidental" is a tricky word here. The use of a proxy or recursive resolver is generally speaking not "accidental". Data minimization is a consequence of normal operation, and what we're talking about is changing operations in order to change that data minimization. The core of the advice is that instead of changing the operation of the middlebox, change the operation of the device about which you desire data.
What would make that clearer?
and cases
where the network element is expected in the protocol and thus the
minimization is expected as well. I think the prescription in the text
applies to the latter. I am not convinced about the former
The VPN example is a strange one. If the subject is a corporate VPN,
then restoring the original IP addresses is the function of the VPN.
If, OTOH, VPN is that service that allows people to watch Hulu outside
of the US, then restoring the IP address would be counter-productive.
It is also strange to see VPN used as an example of "systems whose
primary function is not to provide confidentiality"
Well, it does two things: shifts the network locality of the endpoint using the VPN and masks who is shifting. I believe the first is the primary function and the second a common secondary property. If you would like different language on this, though, please let me know.
thanks for the review,
Ted