Re: [auth48] [ISE] Re: AUTH48: RFC-to-be 9446 <draft-farrell-tenyearsafter-05> for your review

[Stephen Farrell <Stephen.Farrell@tcd.ie>]

Hiya,

I'm on holiday but will respond to this at the weekend when back home,

Cheers,
S.


Sent from Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org>
Sent: Wednesday, July 12, 2023 1:00:44 AM
To: stephen.farrell@cs.tcd.ie <stephen.farrell@cs.tcd.ie>; farzaneh.badii@gmail.com <farzaneh.badii@gmail.com>; schneier@schneier.com <schneier@schneier.com>; smb@cs.columbia.edu <smb@cs.columbia.edu>
Cc: rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org>; rfc-ise@rfc-editor.org <rfc-ise@rfc-editor.org>; auth48archive@rfc-editor.org <auth48archive@rfc-editor.org>
Subject: [ISE] Re: AUTH48: RFC-to-be 9446 <draft-farrell-tenyearsafter-05> for your review

Authors,

While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file.

* Eliot (as ISE), please see #3 below.

1) <!-- [rfced] Steven, do you prefer your initials to be displayed as "S." or "S. M." in the header of the document?

-->


2) <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. -->


3) <!-- [rfced] Abstract. Elliot, given the following in the Acknowledgments section: "that of course doesn't mean that they necessarily agree with the text", should the Abstract or the Introduction have a disclaimer such as "The views expressed in this memo are those of the authors"?
-->


4) <!-- [rfced] Introduction. Does clarifying what caused the sea change in the suggested text below improve the readability of the following sentence?

Original:
   The breathtaking scope of the operations
   shocked the Internet technical community that was reflected in a sea
   change within the IETF, IAB, and other standards organizations.

Perhaps:
   The breathtaking scope of the operations
   shocked the Internet technical community, and this shock caused a sea
   change within the IETF, IAB, and other standards organizations.
-->


5) <!--[rfced] Section 2. Please consider how the passage regarding Jacob Appelbaum could be improved by providing more details.  Was Appelbaum's work with Poitras the films, "Citizenfour" and "Risk"?  The clause "who had not yet been accused of sexual assault by multiple women" seems unnecessary here. Should it be dropped?

Is there a reference that can be added to support the claim that Appelbaum received the implant catalog from someone besides Snowden? If no supporting references can be added, could the passage instead focus on Appelbaum's reporting and the impact it had? Perhaps add a reference to <https://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html> or <https://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html>. Or perhaps the focus should be on the implant catalog and your analysis <https://www.schneier.com/tag/exploit-of-the-day/>?

Original:

   Jake Appelbaum, who
   had not yet been accused of sexual assault by multiple women, was
   working with Poitras.  He partnered with Spiegel to release an
   implant catalog from the NSA’s Tailored Access Operations group.  To
   this day, I am convinced that that document was not in the Snowden
   archives: that Jake got it somehow, and it was released with the
   implication that it was from Edward Snowden.
-->


6) <!-- [rfced] Section 2. Please provide expansions for the conference acronyms in the sentence below:

Current:
   When I got back from Rio, I gave talks at a private conference in
   Woods Hole, the Berkman Center at Harvard, something called the
   Congress and Privacy and Surveillance in Geneva, events at both CATO
   and New America in DC, an event at the University of Pennsylvania, an
   event at EPIC, a "Stop Watching Us" rally in DC, the RISCS conference
   in London, the ISF in Paris
-->


7) <!-- [rfced] Section 2. Would you like to provide a short list of examples here, or should the phrase "for example" be removed from the last sentence of the paragraph?

Original:
   What struck me at the IETF was the indignation in the room, and the
   calls to action.  And there was action, across many fronts.  We
   technologists did a lot to help secure the Internet, for example.
-->


8) <!-- [rfced] Section 3. Does rewording the following to focus on IETF participants improve the readability of the sentence?

Original:
   As for the IETF's reaction, informal meetings during the July 2013
   IETF meeting in Berlin indicated that IETF participants considered
   that these revelations showed that we needed to do more to improve
   the security and privacy properties of IETF protocols ...

Perhaps:
   As for the IETF's reaction, IETF participants met informally during
   the July 2013 IETF meeting in Berlin to discuss these revelations,
   which showed that we needed to do more to improve the security and
   privacy properties of IETF protocols ...
-->


9) <!-- [rfced] Section 4. Does the following sentence say that policies and technical means have not been used to positively impact human rights and that the Snowden revelations didn't revolutionize the use of policies and technical means to do so? To whom does "our" refer to?

Original:
   Snowden revelations did not have a
   revolutionary effect on our approach towards not using policies and
   technical means that have an effect on human rights, such as freedom
   of expression, freedom of association and assembly and privacy.

Possibly:
   The Snowden revelations did not revolutionize the use of policies
   a technical means to support human rights such as freedom
   of expression, freedom of association and assembly, and privacy.
-->


10) <!-- [rfced] Section 4. FYI, the first sentence below is a fragment. Please let us know how to update it.

Original:
   A range of European Union laws that aims to
   address online safety or concentration of data.  There are many more
   regulations that have an impact on the Internet.

Perhaps:
   A range of European Union laws aims to
   address online safety or concentration of data. There are many more
   regulations that have an impact on the Internet.
-->


11) <!-- [rfced] Section 4. Does the following suggestion improve the readability of the passage?

Original:
   It might have also expedited and helped with
   more easily convening the Human Rights Protocol Considerations
   research group in the Internet Research Task Force (IRTF).  Co-
   chaired by Niels ten Oever (who worked at Article 19 at the time) and
   Internet governance activist Avri Doria, the Internet Research Task
   Force in July 2015 chartered a Research Group on "Human Rights
   Protocol Considerations" (the HRPC RG).  The charter of the HRPC RG
   stated that the group was established: "to research whether standards
   and protocols can enable, strengthen or threaten human rights, as
   defined in the UDHR and the International Covenant on Civil and
   Political Rights (ICCPR)."

Perhaps (removing some redundant text, clarifying that ten Oever and
Doria co-chaired the RG originally, and expanding UDHR):
   It might have also expedited and helped with
   more easily convening the Human Rights Protocol Considerations
   Research Group (HRPC RG) in the Internet Research Task Force (IRTF)
   in July 2015. The HRPC RG was originally co-chaired by Niels ten
   Oever (who worked at Article 19 at the time) and Internet governance
   activist Avri Doria. The charter of the HRPC RG states that the group
   was established: "to research whether standards and protocols can
   enable, strengthen, or threaten human rights, as defined in the
   Universal Declaration of Human Rights (UDHR) and the International
   Covenant on Civil and Political Rights (ICCPR)."
-->


12) <!-- [rfced] Section 4. Please help us clarify the following sentence.  Does DoH contribute to the fight against censorship?

Original:
   For instance, we still have doubts about implementing DNS over HTTPS
   without seriously considering its contributions to fight with
   censorship and bring encryption to DNS queries.
-->


13) <!-- [rfced] Section 5.1. Regarding the following note to the RFC Editor:

   Also, the authors have requested that you provide specific guidance on
   the spelling of arabic names, specifically those in the following
   sentence:

   In the 9th century, Abu Yusuf Ya’qub ibn ‘Ishaq aṣ-Ṣabbah al-
   Kindh developed and wrote about frequency analysis as a way to crack
   ciphers [Borda2011],[Kahn1996].

Our research indicates that the following is the more typical spelling
found in English, and we have updated the document accordingly:

   Abū Yūsuf Yaʻqūb ibn ʼIsḥāq aṣ-Ṣabbāḥ al-Kindī
-->


14) <!-- [rfced] Section 5.2. Does the following update to reword "that that" improve the readability of the sentence?

Original:
   NSA denied tampering with the design; a
   Senate investigating committee found that that was correct...

Perhaps:
   NSA denied tampering with the design; a
   Senate investigating committee found that assertion to be
   correct...
-->


15) <!-- [rfced] Informative References. FYI, we have provided proceedings information for the following. Please let us know if any updates are necessary.

Original:
   [LE]       Aas, J., Barnes, R., Case, B., Durumeric, Z., Eckersley,
              P., Flores-López, A., Halderman, A., Hoffman-Andrews, J.,
              Kasten, J., Rescorla, E., Schoen, S. D., and B. Warren,
              "Let's Encrypt - an automated certificate authority to
              encrypt the entire web", 2019,
              <https://dl.acm.org/doi/pdf/10.1145/3319535.3363192>.

Current:
   [LE]       Aas, J., Barnes, R., Case, B., Durumeric, Z., Eckersley,
              P., Flores-López, A., Halderman, A., Hoffman-Andrews, J.,
              Kasten, J., Rescorla, E., Schoen, S. D., and B. Warren,
              "Let's Encrypt: An Automated Certificate Authority to
              Encrypt the Entire Web", CCS '19: Proceedings of the 2019
              ACM SIGSAC Conference on Computer and Communications
              Security, November 2019,
              <https://dl.acm.org/doi/pdf/10.1145/3319535.3363192>.
-->


16) <!-- [rfced] Informative References. We note that the URLs provided for ACM publications are inconsistent. Some point to acm.org; others point to personal websites. May be update the URLs to point to acm.org? The PDFs are freely available from that site.

Original:
   [Adrian2015]
              Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P.,
              Green, M., Halderman, J. A., and N. Heninger, "Imperfect
              Forward Secrecy: How Diffie-Hellman Fails in Practice.",
              Proceedings of the 22th ACM Conference on Computer and
              Communications Security (CCS), 2015,
              <https://weakdh.org/imperfect-forward-secrecy.pdf>.

   [Blaze1994]
              Blaze, M., "Protocol Failures in the Escrowed Encryption
              Standard", Proceedings of Second ACM Conference on
              Computer and Communications Security, 1994,
              <http://www.mattblaze.org/papers/eesproto.pdf>.

   [Checkoway2016]
              Checkoway, S., Maskiewicz, J., Garman, C., Fried, J.,
              Cohney, S., Green, M., Heninger, N., Weinmann, R. P.,
              Rescorla, E., and Hovav Shacham, "A Systematic Analysis of
              the Juniper Dual EC Incident", Proceedings of the 2016 ACM
              SIGSAC Conference on Computer and Communications
              Security 468-79, 2016,
              <https://dl.acm.org/citation.cfm?id=2978395>.

   [LE]       Aas, J., Barnes, R., Case, B., Durumeric, Z., Eckersley,
              P., Flores-López, A., Halderman, A., Hoffman-Andrews, J.,
              Kasten, J., Rescorla, E., Schoen, S. D., and B. Warren,
              "Let's Encrypt - an automated certificate authority to
              encrypt the entire web", 2019,
              <https://dl.acm.org/doi/pdf/10.1145/3319535.3363192>.
-->


17) <!-- [rfced] Informative References. We note that the author's name for "Sanctions and the Internet" is given as Farzaneh Badiei. We have updated the author information to match the document, but have left the cite tag as [Badii2023].  Please let us know if any updates are necessary.

Original:
   [Badii2023]
              Badii, F., "Sanctions and the Internet", 2023,
              <https://digitalmedusa.org/wp-content/uploads/2023/05/
              SanctionsandtheInternet-DigitalMedusa.pdf>.

Current:
   [Badii2023]
              Badiei, F., "Sanctions and the Internet", Digital Medusa,
              2023, <https://digitalmedusa.org/wp-
              content/uploads/2023/05/SanctionsandtheInternet-
              DigitalMedusa.pdf>.
-->


18) <!-- [rfced] Normative References. FYI, RFC 7540 has been obsoleted by RFC 9113.  We have updated the reference. Please let us know if any changes are necessary.

Original:
   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
              DOI 10.17487/RFC7540, May 2015,
              <https://www.rfc-editor.org/info/rfc7540>.

Current:
   [RFC9113]  Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
              DOI 10.17487/RFC9113, June 2022,
              <https://www.rfc-editor.org/info/rfc9113>.
-->


19) <!-- [rfced] Normative References. The I-D draft-farrelll-mpls-opportunistic-encrypt was replaced by draft-ietf-mpls-opportunistic-encrypt (also expired). Would you like to update the reference?

Original:
   Of course, not all such initiatives bore fruit, for example attempts
   to define a new MPLS encryption mechanism
   [I-D.farrelll-mpls-opportunistic-encrypt] foundered due to a lack of
   interest and the existence of the already deployed IEEE MACSEC
   scheme.

   [I-D.farrelll-mpls-opportunistic-encrypt]
              Farrel, A. and S. Farrell, "Opportunistic Security in MPLS
              Networks", Work in Progress, Internet-Draft, draft-
              farrelll-mpls-opportunistic-encrypt-05, 17 June 2015,
              <https://datatracker.ietf.org/doc/html/draft-farrelll-
              mpls-opportunistic-encrypt-05>.
-->


20) <!-- [rfced] Informative References. FYI, RFC 7484 has been obsoleted by RFC 9224.  We have updated the reference accordingly. Please let us know if any updates are necessary.

Original:
   [RFC7484]  Blanchet, M., "Finding the Authoritative Registration Data
              (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
              2015, <https://www.rfc-editor.org/info/rfc7484>.

Current:

   [RFC9224]  Blanchet, M., "Finding the Authoritative Registration Data
              Access Protocol (RDAP) Service", STD 95, RFC 9224,
              DOI 10.17487/RFC9224, March 2022,
              <https://www.rfc-editor.org/info/rfc9224>.
-->


21) <!-- [rfced] Terminology. Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed.  For example, please consider whether the following should be updated: dummy, dumb, black bag, etc.
-->


Thank you.

RFC Editor/jm



On 7/11/23 5:55 PM, rfc-editor@rfc-editor.org wrote:

*****IMPORTANT*****

Updated 2023/07/11

RFC Author(s):
--------------

Instructions for Completing AUTH48

Your document has now entered AUTH48.  Once it has been reviewed and
approved by you and all coauthors, it will be published as an RFC.
If an author is no longer available, there are several remedies
available as listed in the FAQ (https://www.rfc-editor.org/faq/).

You and you coauthors are responsible for engaging other parties
(e.g., Contributors or Working Group) as necessary before providing
your approval.

Planning your review
---------------------

Please review the following aspects of your document:

*  RFC Editor questions

   Please review and resolve any questions raised by the RFC Editor
   that have been included in the XML file as comments marked as
   follows:

   <!-- [rfced] ... -->

   These questions will also be sent in a subsequent email.

*  Changes submitted by coauthors

   Please ensure that you review any changes submitted by your
   coauthors.  We assume that if you do not speak up that you
   agree to changes submitted by your coauthors.

*  Content

   Please review the full content of the document, as this cannot
   change once the RFC is published.  Please pay particular attention to:
   - IANA considerations updates (if applicable)
   - contact information
   - references

*  Copyright notices and legends

   Please review the copyright notice and legends as defined in
   RFC 5378 and the Trust Legal Provisions
   (TLP – https://trustee.ietf.org/license-info/).

*  Semantic markup

   Please review the markup in the XML file to ensure that elements of
   content are correctly tagged.  For example, ensure that <sourcecode>
   and <artwork> are set correctly.  See details at
   <https://authors.ietf.org/rfcxml-vocabulary>.

*  Formatted output

   Please review the PDF, HTML, and TXT files to ensure that the
   formatted output, as generated from the markup in the XML file, is
   reasonable.  Please note that the TXT will have formatting
   limitations compared to the PDF and HTML.


Submitting changes
------------------

To submit changes, please reply to this email using ‘REPLY ALL’ as all
the parties CCed on this message need to see your changes. The parties
include:

   *  your coauthors

   *  rfc-editor@rfc-editor.org (the RPC team)

   *  other document participants, depending on the stream (e.g.,
      IETF Stream participants are your working group chairs, the
      responsible ADs, and the document shepherd).

   *  auth48archive@rfc-editor.org, which is a new archival mailing list
      to preserve AUTH48 conversations; it is not an active discussion
      list:

     *  More info:
        https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc

     *  The archive itself:
        https://mailarchive.ietf.org/arch/browse/auth48archive/

     *  Note: If only absolutely necessary, you may temporarily opt out
        of the archiving of messages (e.g., to discuss a sensitive matter).
        If needed, please add a note at the top of the message that you
        have dropped the address. When the discussion is concluded,
        auth48archive@rfc-editor.org will be re-added to the CC list and
        its addition will be noted at the top of the message.

You may submit your changes in one of two ways:

An update to the provided XML file
 — OR —
An explicit list of changes in this format

Section # (or indicate Global)

OLD:
old text

NEW:
new text

You do not need to reply with both an updated XML file and an explicit
list of changes, as either form is sufficient.

We will ask a stream manager to review and approve any changes that seem
beyond editorial in nature, e.g., addition of new text, deletion of text,
and technical changes.  Information about stream managers can be found in
the FAQ.  Editorial changes do not require approval from a stream manager.


Approving for publication
--------------------------

To approve your RFC for publication, please reply to this email stating
that you approve this RFC for publication.  Please use ‘REPLY ALL’,
as all the parties CCed on this message need to see your approval.


Files
-----

The files are available here:
   https://www.rfc-editor.org/authors/rfc9446.xml
   https://www.rfc-editor.org/authors/rfc9446.html
   https://www.rfc-editor.org/authors/rfc9446.pdf
   https://www.rfc-editor.org/authors/rfc9446.txt

Diff file of the text:
   https://www.rfc-editor.org/authors/rfc9446-diff.html
   https://www.rfc-editor.org/authors/rfc9446-rfcdiff.html (side by side)

Diff of the XML:
   https://www.rfc-editor.org/authors/rfc9446-xmldiff1.html

The following files are provided to facilitate creation of your own
diff files of the XML.

Initial XMLv3 created using XMLv2 as input:
   https://www.rfc-editor.org/authors/rfc9446.original.v2v3.xml

XMLv3 file that is a best effort to capture v3-related format updates
only:
   https://www.rfc-editor.org/authors/rfc9446.form.xml


Tracking progress
-----------------

The details of the AUTH48 status of your document are here:
   https://www.rfc-editor.org/auth48/rfc9446

Please let us know if you have any questions.

Thank you for your cooperation,

RFC Editor

--------------------------------------
RFC9446 (draft-farrell-tenyearsafter-05)

Title            : Reflections on Ten Years Past The Snowden Revelations
Author(s)        : S. Farrell, F. Badii, B. Schneier, S. Bellovin
WG Chair(s)      :
Area Director(s) :