IETF Logo Mail Archive

Re: [hrpc] Working group last call for draft-irtf-hrpc-guidelines

Mallory Knodel <mknodel@cdt.org> Fri, 09 July 2021 11:14 UTC

Return-Path: <mknodel@cdt.org>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01953A1D57 for <hrpc@ietfa.amsl.com>; Fri, 9 Jul 2021 04:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2fc0BqDPZok for <hrpc@ietfa.amsl.com>; Fri, 9 Jul 2021 04:14:12 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3733A1D56 for <hrpc@irtf.org>; Fri, 9 Jul 2021 04:14:11 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id 9so8918282qkf.3 for <hrpc@irtf.org>; Fri, 09 Jul 2021 04:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=+rmHV0h0wO5xd8OAtp/XuMK3LzFdzg2SsOtRnlbhWLQ=; b=WEp+Gt7ABbg8IYfzUUTCmpzB+XSpWKBb8wIM2ixnec+h42g5YaFYhLUH3dkEL8YXi2 U+IopfudqRNrRGWjUwXN9SIJa0gB7K+SnA0HLFsukghmYZeFpL4DmIwP00lERRrPtofS Cp5em8UpIo3zy1I2wx/PkdZb19Z26ieigo3Mg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=+rmHV0h0wO5xd8OAtp/XuMK3LzFdzg2SsOtRnlbhWLQ=; b=DH/Ue1JcQPwBbsT8Uu/8hB/FZchcDXNWZi/9j/6c/Hn479YkDMCDBS6X7m6r18HwIG CX6KBsVJGlRcFHDCQZm0HHlaSzuUJk/GLPS6hpUcNQCn8Beg81SRtDot/RoCMtdEIZit cnR5hfqbB4duLsLrto/db2T8Jsx5s7YyDoufeQx+g1ZYqC58RErPXuO57Gh5Vb9k1t47 kmE6qdQyFqKeviMvMKGz6yW70FuozUNuJcD2yGnQuPXlrnUd0Z/gOMFV3sdVy7k7YNen RkQwI+v1X8yatEAOcbqCj6FlWHPJUmwKDySSqDFvJJ3BQSis7nvChufa81rRRHJNgMV4 1leg==
X-Gm-Message-State: AOAM532MyPk0ZHcmFx0q+I8tVYxdtNkSe7DMFO9V6w/0cN26OxZKRBzz 6ApvGwoFwNgY3Iyo7WMFN6dSFw==
X-Google-Smtp-Source: ABdhPJyplYSIyPk5sqsDDdru7YRXozPUCBa1pkLw/XtRC4mfM4YAVRTSe3f+CG2PsQaKVH8FzbMEsw==
X-Received: by 2002:a37:678d:: with SMTP id b135mr37451508qkc.17.1625829249635; Fri, 09 Jul 2021 04:14:09 -0700 (PDT)
Received: from [192.168.0.130] (c-73-163-188-207.hsd1.dc.comcast.net. [73.163.188.207]) by smtp.gmail.com with UTF8SMTPSA id g76sm2314041qke.127.2021.07.09.04.14.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Jul 2021 04:14:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------OmR8epDYIgYR5phhldM0Qnl6"
Message-ID: <25c82286-2ecb-de01-6258-334371e4c14a@cdt.org>
Date: Fri, 09 Jul 2021 07:14:07 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Thunderbird/90.0
Content-Language: en-US
To: Eliot Lear <lear@lear.ch>, Gurshabad Grover <gurshabad@cis-india.org>, Mallory Knodel <mallory@cdt.org>
Cc: "hrpc@irtf.org" <hrpc@irtf.org>
References: <447c4444-800b-dfb9-de3e-bbbe3bb4ac64@lear.ch> <6b540117-38a6-fbfa-3749-048d14b34f38@cis-india.org> <1f5df69e-1efd-aa66-0530-a8f8c7fcc6db@lear.ch>
From: Mallory Knodel <mknodel@cdt.org>
In-Reply-To: <1f5df69e-1efd-aa66-0530-a8f8c7fcc6db@lear.ch>
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/0uBu7JKUZUtBWK67a97feoF9IHE>
Subject: Re: [hrpc] Working group last call for draft-irtf-hrpc-guidelines
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 11:14:17 -0000

Hi all,

Thanks so much for the reviews that came in last call.

After talking with Gurshabad, I am going to move this draft toward 
publication. Most suggestions below are about including examples, so 
keeping in tact some of that remaining discussion open for other 
reviews, such as in the IRSG, will be part of the detail that I pass on.

Thanks all,

-Mallory

On 7/1/21 9:53 AM, Eliot Lear wrote:
>
> Hi Gurshabad,
>
> Thanks for your responses.  Please see below.
>
>
>>> For "Impacts"-
>>>
>>> These impacts are claimed, both here and in 8280, but the linkage isn't
>>> explicitly made in each case.  Are these linkages made clear somewhere
>>> else?  I may have entirely missed it, in which case this issue isn't an
>>> issue at all.  Otherwise, one wonders if we are putting the cart before
>>> the horse.
>>>
>> I think the explanation and examples under each each sub-section of 2.3
>> are intended to make these links explicit. Are you referring to some
>> other sort of links between rights and properties of protocols/specs?
>
> In reviewing Section 2.3, I think my confusion comes from the 
> examples.  Let's consider Section 2.3.1:
>
> The key point in the section is probably this sentence:
>
>>  However,
>>    protocols relying on middleboxes can create potential for abuse, and
>>    intentional and unintentional censoring, thereby influencing
>>    individuals' ability to communicate online freely and privately.
>
> A good example for middleboxes is actually Email, not NATs or 
> firewalls, because the tradeoffs for email are most plain. Email 
> provides a point of rendezvous to enable scaling. Furthermore, having 
> email servers, as opposed to directly delivering to end devices, has 
> additional security benefits to reduce spamming, phishing, and malware 
> attacks.  But those same middleboxes that scan for bad behaviors could 
> scan for politically sensitive content, and thus infringe on people's 
> rights, because we have yet to find ways to properly scale end-to-end 
> encryption to the billions of people.
>
> There isn't that much of a tradeoff for NATs these days- nobody likes 
> them architecturally, but I think people would be hard pressed to 
> demonstrate harm to human rights.  Moreover, NATs are designed to be 
> transparent to most – but not all – protocol transactions.  and so 
> there isn't much of a tradeoff, and this makes people scratch their 
> heads when relating a NAT to "Right to freedom of assembly and 
> association".
>
> In fact, arguably this section should probably focus on applications 
> and social network sites, where this tussle has played out in far more 
> dramatics style over the last several years.  Consider the tradeoffs 
> of a wildly popular IM application, which makes great use of 
> middleboxes (there isn't really an IM system that doesn't).
>
>> As I understand it, we are not proposing an ideal workflow as such. We
>> are just listing out some assessment frameworks (which may be used
>> independently or in conjunction with each other).
>
> Up to you.
>
>>> A few of the examples seem to me a bit disjoint from the IETF.  I think
>>> we talked about Accessibility at some point, but an example more
>>> relevant to the IETF might help people grasp the more direct relevance
>>> to the organization.  I don't have a particularly good example of this,
>>> but there should at least be an existence proof of the relevance to
>>> us... unless...
>>>
>>> ... you want the guidance to be broader than just the IETF.  I see
>>> absolutely nothing wrong with that, but you should scrub the doc then to
>>> make sure that IETF-specific stuff is generalized.  An example might be
>>> to replace "protocol" with "specification".
>>>
>> I don't think we're saying this explicitly anywhere, but that's
>> deliberate. Since IETF is not the only place where protocols are made, I
>> think that this vagueness is acceptable. Of course, one of the primary
>> goals for the document remains that it is usable by people at IETF.
>>
>> That said, I think we were at consensus that the guidelines are not just
>> relevant to protocols, but specifications (an example at IETF would be
>> specifications that lay out an architecture but not a protocol) in the
>> broad area of networking. For instance, I think the group has used the
>> guidelines to review the MLS architecture and SUIT architecture. Made
>> some changes to say 'specification' instead of protocol where relevant.
>
>
> Well... as it happens I just laid out two examples for you above ;-)  
> Use them if you like.
>
>
>>> Section 2.3.13
>>>
>>> I don't know that we have *any* real success stories for
>>> decentralization.  HTTP certainly isn't one.  Certainly designing
>>> *toward* centralization might be best, but I don't think we have very
>>> many examples of that *either.*  Moreover, I have argued, and continue
>>> to argue, that some centralization may *facilitate* human rights.  If
>>> you take into account the combination of DOH + cloud, an observer must
>>> go to far greater lengths to discern even so much as the nature of the
>>> traffic, much less content and actual endpoint.
>>>
>>> And this raises another issue: the point of much of cloud services is to
>>> improve individual service reliability.  And yet those same cloud
>>> services are a form of centralization.  If you consider that perhaps a
>>> handful of players might force DNS traffic to a limited number of
>>> resolver services, we might also say that DoH itself presents
>>> centralization risks.
>>>
>>> These sorts of conflicts are of course to be expected.  The question is
>>> whether it is worth providing guidance relating to centralization.  I
>>> will claim that nobody yet has a real handle in this area, and so better
>>> to say nothing in the form of guidance.  Instead, it seems to me to be
>>> good fodder for future work.
>>>
>> I don't think I have a strong opinion about this. Before making any
>> changes in this section, however, I'd love to hear what others think.
>
>
> Ok.
>
>
>>> 2.3.17 Authenticity
>>>
>>> The authors write:
>>>
>>>>     At the same time, authentication should not be used as a way to
>>>>     prevent heterogeneity support, as is often done for vendor lock-in or
>>>>     digital rights management.
>>> As if that should be the #1 concern.  Perhaps a bigger concern is that
>>> authenticity directly conflicts with anonymity or pseudo-anonymity.  If
>>> someone is forcing you to authenticate, the authentication identity can
>>> and will be associated with whatever access takes place, and that
>>> information can be demanded.
>>>
>>> Furthermore,  I'm not at all sure that the example holds up, and it
>>> should be at least supported by a current reference.  Finally, there are
>>> conflicts here as well: the technology that one might use for vendor
>>> lock-in is  the same as that used to validate the authenticity of
>>> software, for purposes of preventing malware spread.
>>>
>>> Also, the question itself is a bit shallow.  Authenticity of what?  If
>>> we are talking about the underlying data, a mere transport connection
>>> may not in and of itself provide sufficient protection.  We have plenty
>>> of mail traversing encrypted tunnels and lots of spam to go with.
>>>
>> I agree that identity authentication can be at odds with
>> anonymity/pseudonymity, but this section is not about that. I re-read
>> the text and example in this section, and to me it's clear that it's
>> more to do with transport/data authenticity than identity
>> authentication. Would love to hear your thoughts on how we can make this
>> even clearer if it's cause for confusion.
>
> At the high level, it is that very conflict of identity authentication 
> which itself provides for data authenticity (that's how Bob knows that 
> it was Alice who sent the message) versus anonimity/pseudonymity 
> (that's how others might know that it was Alice who sent that message) 
> that has to be laid out. The work of TLS 1.3 in particular was all 
> about *not* revealing Alice's identity unless the other end is 
> authorized to see it. That's probably worth capturing a bit better.  
> This is probably where I would focus the section.  It's not an easy 
> topic, because peer to peer communications (as opposed to 
> client->server) require that someone has to reveal something to get 
> things going, at least using the currently scaled technology.
>
> Also, the DRM discussion really is just a bit facile, and has to take 
> into account the very real possibility that in some cases, the end 
> user is considered the adversary.  Absent this model, services like 
> Netflix could not exist, for instance. Perhaps that's not a HR issue, 
> but vendor lock-in is such a complicated issue that attempting to 
> address it with a few throwaway lines isn't giving it appropriate 
> consideration.
>
>
>>> *Minor issues:*
>>>
>>> Beginning with Section 1:
>>>
>>>>    This is by no means an attempt to exclude specific rights or
>>>>     prioritize some rights over others.  If other rights seem relevant,
>>>>     please contact the authors.
>>> Are we are sufficiently taking into account how linkages to other rights
>>> might prevail?  Let me give an example:
>>>
>>> If we are talking about a new version of "whois" that retrieves
>>> information necessary for law enforcement, the whole point of the
>>> protocol is to expose information that some would say is private.  And
>>> so the question revolves around whether appropriate protections are in
>>> place to limit access to that information to authorized parties.
>>> However, even doing that may not be enough, if "authorized parties" are
>>> the source of abuse.  I don't know if such an example is an outlier, but
>>> there it is.
>>>
>>> Nit: the 2nd sentence will need to be changed or removed.
>> Removed the second sentence.
>>
>> Could you please elaborate on what you mean to demonstrate through the
>> example here (with respect to linkages of rights)?
>
> I attempted, apparently unsuccessfully, to do that with whois. This is 
> a tradeoff, and perhaps better documented by ICANN than I could 
> elaborate.  They've had an ongoing To Do with the EC and the GDPR, and 
> they are in a far better position to explain it.
>
> Regards,
>
> Eliot
>
-- 
Mallory Knodel
CTO, Center for Democracy and Technology
gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780

v2.39.1 | Report a Bug | By Email | System Status