IETF Logo Mail Archive

Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)

Martin Thomson <mt@lowentropy.net> Mon, 09 October 2023 00:20 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9635FC14CEED for <architecture-discuss@ietfa.amsl.com>; Sun, 8 Oct 2023 17:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="en8A/ZkM"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="kn5pb1/C"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZG9rs1PbPZk for <architecture-discuss@ietfa.amsl.com>; Sun, 8 Oct 2023 17:20:17 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8E43C14F74A for <architecture-discuss@ietf.org>; Sun, 8 Oct 2023 17:20:17 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id BD83C5C02FB; Sun, 8 Oct 2023 20:20:14 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute6.internal (MEProxy); Sun, 08 Oct 2023 20:20:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1696810814; x=1696897214; bh=1+ +xTwcuDe7xhnBjbcfxuhQ/j6Qi2fcUaN55Zhs/cI8=; b=en8A/ZkMCk3ThJcpId VpGyVbpidO1i+sLrP+//icGPDOPvRKfYqpMDm+4Bzwo9+Ri96Sz6i76TO5sHlKHh rmafjSHHkxpUAmg1sR6G6+u5DBDG3T8C+8BbxLDClkAu3JlE26VnARQeNUkgoWj2 0zOu2dEVyM1VsXAlhmgT7MYfumdr69QjAzMSXQ2vUnwmR6MQrDsJ0NrKQ95AoMCB O5QVSjs5XY3JaTKnAcC4HEvzt3Vqw1bo7h9bvGAzez8vNDLW3X+2UTY/qa9RhBkv j5AmkcT6H5k5gQzFU07foPOuqv3wkYszPdRcFF1OPLgsCsPxgcR9SHQYffiZ7pwc G6EA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1696810814; x=1696897214; bh=1++xTwcuDe7xh nBjbcfxuhQ/j6Qi2fcUaN55Zhs/cI8=; b=kn5pb1/C6F3bjbqXXVkbKsEQO9ulJ JP2/ITpBB/eH9pQRDa5S/86Av7ZJpSqhfiylthgtkTJRLwryD+Ionxu4HXES2QzC 4fQ9GhW0mS2ss3NOegz1CM96zf/xwzXN9rVPDXjTb9cPm33q2z0jb1oBPo+wLjoi XysBz7cQiKBvgmW4QIP2Aqd9Yq3VcLRk+0w34blXpvnR2BRv4Qv7OdGzUASQYmX7 +nSZ2z005b0UK6kVA51jydBU4EhShK5iOODyLAZGd7dandcQ6GEmalqSlQHQ+tOu w8nrtNmM44B59UaFWm6hZfM/AkJiaQpJJ/9s1p5z9qV9fmL0yYKEWoceQ==
X-ME-Sender: <xms:PkcjZVSn79KdbwZDPC061xPVD68HsUfRdY-iivVXEJuv09Pc2H45Dw> <xme:PkcjZezSxYGN7TMaa6KESzisdHu3JeEON-UXOhWcNiWEI2VNx4xh-D2J2o0QDVMaF y45kFJoO9rn0a-WBUQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrhedvgdefgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhephfeitddtveeihfejjefgve efuedugffgkeevkeehueeggeelveekveektdfhueeinecuffhomhgrihhnpehivghtfhdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:PkcjZa0uqw09SN9tcprrl_WH9h4Hiu3cu_uC2e_Zweec80oozStRnQ> <xmx:PkcjZdC5MfB4omrDYZFTc3AkXTlMOi2sAHh3qnNHbI2W9Uv6ZTuDxQ> <xmx:PkcjZejBINpAUuhbzQcf37khEMsWjarzaGv2A_CuyjyxXLJAf5vpfA> <xmx:PkcjZUf3YBhfu0fntp3dEGQKYiJV1k8_CmelbFHk6OmfkiSrfAbGQg>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6EA3CBC0089; Sun, 8 Oct 2023 20:20:14 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-958-g1b1b911df8-fm-20230927.002-g1b1b911d
MIME-Version: 1.0
Message-Id: <2972d671-5a24-4b98-b4c6-ec5d2985f0c0@betaapp.fastmail.com>
In-Reply-To: <169661465706.21376.5494557288067922968@ietfa.amsl.com>
References: <169661465706.21376.5494557288067922968@ietfa.amsl.com>
Date: Mon, 09 Oct 2023 11:19:54 +1100
From: Martin Thomson <mt@lowentropy.net>
To: architecture-discuss@ietf.org, iab@iab.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/v-9tuagyKIgo2fZ9hEaoMrQYKLs>
Subject: Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 00:20:22 -0000

This document feels incomplete.  I'll give a few examples of applications of the general concept that aren't covered.

Separating identity from the right to communicate is a major concept that is not as fully explored as it could be.

This is something that the draft does discuss in a way, because it talks about using intermediaries to shield the identity of entities that wish to initiate communication.

The entire class of use for pseudonymous identifiers isn't really given a solid treatment.  I work with people who provide email aliases for privacy purposes.  There, the underlying concept is that an email address typically serves two distinct functions: a) an identifier, and b) authorization to communicate.

When creating temporary email addresses, especially when these are unique for each context, we break the identification part (a).  We give the recipient the means to communicate with us, but deny them the means to identify.  Identification means correlation across multiple contexts.  (As an aside, that's a failing in RFC 6973, which treats identification and correlation as distinct threats rather than facets of the same and distinct only in degree.)

A contextually-bound pseudonymous identifier provides no correlating power. Again, this relies on having intermediaries that can be trusted not to collude and reveal the true identity, so I believe that this qualifies as a partitioning.

The same basic idea also underpins Web Push (RFC 8030).  Websites are given the means to send push messages to user agents, but are denied the means of identification.  Here, the privacy guarantees are stronger than email because the intermediary does not need to be entrusted with viewing the message contents.  End-to-end protected email is possible, but email comes with very different expectations.

I believe that this identity separation concept is also a property that is inherent to ICN architectures, but I'm not as qualified to comment on that as others, including some IAB members.  Similarly, I believe that it would be possible to more fully capitalize on randomized IPv6 ULAs (RFC 4941), but there are folks on the IAB better positioned to handle that as well.

Finally, it is maybe not in scope, but I wonder how the authors perceive the relation between this work and contextual integrity.  It seems like maybe this is a foundational principle that is implied throughout, perhaps along with other principles.  However, it's not really clear which aspects of privacy are potentially responsive to the types of partitioning that are discussed.  There is missed opportunity here, I think. Just looking at specific privacy risks (those listed in Section 5 of RFC 6973 are a good start), it is obvious how partitioning helps (or doesn't) with some, but not all.

Cheers,
Martin

On Sat, Oct 7, 2023, at 04:50, IAB Executive Administrative Manager wrote:
> This is an announcement of an IETF-wide Call for Comment on 
> draft-iab-privacy-partitioning-03.
>
> The document is being considered for publication as an Informational 
> RFC within the IAB stream and is available for inspection at: 
> <https://datatracker.ietf.org/doc/draft-iab-privacy-partitioning/>
>
> The Call for Comment will last until 2023-11-03. Please send comments 
> to architecture-discuss@ietf.org and iab@iab.org.
>
> Abstract
>
>   This document describes the principle of privacy partitioning, which
>   selectively spreads data and communication across multiple parties as
>   a means to improve privacy by separating user identity from user
>   data.  This document describes emerging patterns in protocols to
>   partition what data and metadata is revealed through protocol
>   interactions, provides common terminology, and discusses how to
>   analyze such models.
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss

v2.23.0 | Report a Bug | By Email