Just chiming in on Martin's last point ...
On Tue, Nov 28, 2017 at 12:51 AM, Martin Thomson <martin.thomson@xxxxxxxxx> wrote:
6.4
This mentions nothing of padding. Padding is available in HTTP/2 and
TLS 1.3, plus many other protocols. It at least deserves some
recognition, even if it isn't widely deployed (outside of some
relatively specialized uses, that is). There's a whole RFC on traffic
analysis and countermeasures missing from our dialogue here, but a
mention is probably wise.
I've been talking with the IESG since at least our retreat in May, about the need for (some value of) us to up-level our discussion so that we're providing general guidance about privacy, and not just arguing about privacy on every document where someone notices something (too often, during IETF Last Call or IESG Evaluation).
If Martin's point is that we don't have an appropriate document to point to as something like a canonical checklist, it would be great if that changed. I don't know if a BCP is the right thing to do, but if an RFC providing guidance already exists, it's not jumping out at me.
Mirja and I hosted Mike Perry from the Tor Project to talk about " Privacy and Traffic Analysis Resistance for Encrypted Protocols" to TSVAREA at IETF 98, for instance, and that was very helpful, but ISTM that pointing people to a PowerPoint presentation (Privacy and Traffic Analysis Resistance
for
Encrypted Protocols) or MeetEcho recording (https://www.youtube.com/watch?v=0tvKH_Cnvwg&list=PLC86T-6ZTP5jo6kIuqdyeYYhsKv9sUwG1&index=84, beginning at about 1:11 from the beginning) may not be the best we could do ...
Thoughts from others?
Spencer, as TSV AD, responsible AD for QUIC, and apparently the Spin Bit AD ...