Re: [hrpc] Human Rights Research Group Call on draft-irtf-hrpc-research-07

["Bless, Roland (TM)" <roland.bless@kit.edu>]

Hi,

> There are some inaccuracies with the vocabulary section and I have
> several comments for section 4. I'll come back to that later in more detail.

Here we go...
Since other work prevented me to follow the hrpc list closely in the
last weeks, I apologize for repeating some comments that others already
made.

Abstract:
---------
IMHO the abstract should not start with a "list of sections" it
provides. It should rather start with the main issue of providing
considerations on human rights in protocols (or protocol design),
comprising proposals for consideration guidelines, vocabulary,
and a description of the methodology as well as a coarse literature review.

Introduction:
-------------
I find it a bit confusing to directly start with citations without
setting the context first, so probably move the citations somewhere
into the text, where they fit.

In a broader sense, protocols touch also other values, not only
human rights. So probably, a short motivation should be given, why
this draft/RG concentrates on human rights.

While the draft talks a lot about human rights, it doesn't list
a few of them as examples (e.g., at least those used later in section
4). Therefore, I propose to extend the vocabulary and also define
"human rights" there (it's ok to list some of them and repeat the
references for further details...).

Typo: "This has led to an broad" -> "This has led to a broad"

"The purpose of the Internet to be a global network of networks that
provides unfettered connectivity to all users and for any content
[RFC1958]." -> I couldn't find this statement in RFC 1958.
(general comment: please be more accurate when you cite documents, this
also applies to several other places, esp. in the vocabulary, see below).
RFC 1958 talks about connectivity as a goal of the Internet
architecture, but doesn't mention "unfettered connectivity to all users
and for any content".

"Additionally, access to information gives people access to knowledge..."
-> probably qualify this by using "generally accessible information"
or "freely available information" (some information on the Internet
isn't freely accessible or available for all on purpose).

"In order to do this it is crucial that the rights impacts are clearly
documented in order to mitigate the potential harm in a proportional
way." -> I find this statement problematic.
Sometimes the impacts are complicated since several rights
may be affected at once. Moreover, how to actually balance between
conflicts isn't clear at all sometimes.
So I don't know what "mitigate the potential harm in a _proportional
way_" actually means nor how to achieve it...

Vocabulary:
-----------
"Authenticity" -> while other security terms are taken from RFC 4949,
this one isn't (any other reference for this particular definition?).
Usually Authenticity includes data integrity as defined
in RFC4949 (just stating that it is strongly linked with integrity
is IMHO a bit too weak).

Censorship isn't defined but used in the definition of Censorship
resistance.

Confidentiality: the definition isn't correct (unintended ->
unauthorized) and also isn't taken literally from RFC 4949 although
referenced... better replace it with the definition from RFC4949.

End-to-End:
- Typo "principal -> principle"
- This definition here mixes "end-to-end transparency" issues with
  the "end-to-end argument in systems design" (the Saltzer, Reed, Clark
  paper). I think it is indeed
  clearer to separate the two (see also
https://tools.ietf.org/html/rfc2775 and
https://tools.ietf.org/html/rfc4924).