On Wed, Oct 4, 2017 at 9:34 AM, <stephen.farrell@xxxxxxxxx> wrote: > > > On Wednesday, 4 October 2017, Tom Herbert wrote: >> On Wed, Oct 4, 2017 at 7:57 AM, Phillip Hallam-Baker >> <phill@xxxxxxxxxxxxxxx> wrote: >> > On Fri, Sep 29, 2017 at 2:31 PM, Stephen Farrell <stephen.farrell@xxxxxxxxx> >> > wrote: >> >> >> >> >> >> As currently described, I oppose creation of this working >> >> group on the basis that it enables and seemingly encourages >> >> embedding identifiers for humans as addresses. Doing so >> >> would have significant privacy downsides, would enable >> >> new methods for censorship and discrimination, and could >> >> be very hard to mitigate should one wish to help protect >> >> people's privacy, as I think is current IETF policy. >> >> >> >> If the work precluded the use of any identifiers that >> >> strongly map to humans then I'd be ok with it being done >> >> as it'd then only be a waste of resources. But I don't >> >> know how that could be enforced so I think it'd be better >> >> to just not do this work at all. >> >> >> >> S. >> > >> > >> > +1 >> > >> > I know how to restrict the work to 'meaningless' identifiers, require that >> > the identifiers be the output of a cryptographic algorithm. >> > >> > Now strictly speaking, this only limits scope to identifiers that are >> > indexical as opposed to rendering them meaningless but I think that was the >> > sense of it. >> > >> > >> > Nöth proposed a trichotemy of identifiers as follows >> > >> > * Identity, the signifier is the signified (e.g. data: URI) >> > >> > * Indexical, the signifier is related to the signified by a systematic >> > relationship, (e.g. ni URIs, SHA256Data), PGP fingerprints etc.) >> > >> > * Names, the signifier is the related to the signified by a purely >> > conventional relationship, (e.g. example.com to its owner) >> > >> > >> > There is a big difference between attempting to manage indexical signifiers >> > and names. Especially when the people trying to do so refuse to read any of >> > the literature on semiotics. >> > >> > Names are problematic because the only way that a conventional relationship >> > can be implemented is through some sort of registration infrastructure and >> > we already have one of those and the industry that manages it has a >> > marketcap in the tens of billions. >> > >> > Identifiers do lead to tractable solutions. But, this proposal looks a bit >> > unfocused for IRTF consideration, an IETF WG? Really? >> > >> Identifiers are equivalent to addresses in that they indicate a node >> in the network for the purposes of end to end communications. The only >> difference between identifiers and addresses is that identifiers are >> not topological. Virtual addresses in network virtualization are also >> identifiers. So the security properties are the same when considering >> privacy. For instance, if applications use temporary addresses for >> privacy, it would have equivalent properties using temporary >> identifiers. In fact from the application POV this would be >> transparent. It could get a pool of apparently random addresses to >> choose from as source of communication, it shouldn't know or even care >> if the addresses are identifiers. >> >> Identity is a completely separate concept from identifiers. Is not >> required in any of the identifier/locator protocols and AFAIK none of >> them even mention the term. There is no association of an identity of >> user behind and identifier any more than there is an association of >> identity behind IP address. The fact that the words "identifier" and >> "identity" share a common prefix is an unfortunate happenstance :-). > > > Yes. But doesn't that mean either the name of this effort is wildly misleading or else the effort is hugely problematic from a privacy POV? Either way, istm this ought not proceed. > Stephen, There are two distinct efforts represented in IDEAS. One is a developing a common identifier/locator mapping system and the other is identity management. IMO the first is much more tangible and it's clear this is needed given the emergence of id/loc use in data center, mobile networks, as well as network virtualization. The identity effort is less clear in terms of feasibility, privacy, and benefits-- there might be something there, but honestly it looks much more like a research project to me at this point. Tom