On 10/01/2017 05:06 PM, Christian Huitema wrote:
In short, careless applications of the ID/LOC architecture could easily
result in serious privacy issues. The proposed charter does include a
brief statement about privacy:
Agreed.
- Analysis of the concepts of identity-identifier split and dynamic
identifier changes, including their implications on anonymity and privacy.
Explicitly, the framework must define privacy requirements and how potential
extensions/solutions should meet them.
This is a good start, but the whole concept of "unique identifiers" is
scary, and I would like to see this expanded. For example, I would like
to see an explicit reference to a baseline, e.g. assuring no privacy
downgrade compared to IPv6 temporary addresses, or assuring that hosts
that elect to not be tracked when roaming across networks will not be. I
also know that there have been discussions of hiding identifiers from
intermediaries, and i would like to see that as an explicit goal of the
proposed WG.
I think there is also an aspect of "tracked by whom" which needs to be
considered.
Today a user is likely to have different concerns about being tracked by
e.g., Facebook or Google when the are logged in the their account then
being track by a 3rd party such as an ISP or nation state. In the same
way an (industrial) IoT device might need to be tracked by the owner of
that device, without it being trackable by a 3rd party.
There might be an implicit assumption in the IDEAS work that there will
be a globally id->loc database readable by all, the same way we think of
the global DNS. But I think that this would be overly limiting and push
us into a black or white privacy vs. functionality discussion.
Elsewhere I see IETF protocols like EVPN which is used to advertise
(factory assigned and permanent) Ethernet MAC addresses in BGP, which is
global. However, the way that protocol is deployed the distribution of
the EVPN routes are constrained (by BGP configuration) to the domain
which should have access to such information. The notion of having a
distribution/lookup/mapping technology which is capable of being global,
i.e., not tied to technology, but where the information sharing is
restricted by policy makes a lot of sense to me. This policy could be
some notion of closed user groups.
Thus I think we should collectivity look at a combination of approaches
which includes the MP-TCP-like locator agility with its privacy
protection and also cryptographically strong identifiers in IDEAS with
privacy protection designed in from day one.
My 2 cents,
Erik