IETF Logo Mail Archive

Re: [hrpc] from “Security Considerations” to “Threat Model Considerations”?

Eric Rescorla <ekr@rtfm.com> Mon, 06 November 2023 12:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDB9C1FB884 for <hrpc@ietfa.amsl.com>; Mon, 6 Nov 2023 04:19:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuEIMPixhRu5 for <hrpc@ietfa.amsl.com>; Mon, 6 Nov 2023 04:19:02 -0800 (PST)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B42BC151553 for <hrpc@irtf.org>; Mon, 6 Nov 2023 04:19:02 -0800 (PST)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-5a8ada42c2aso50349397b3.3 for <hrpc@irtf.org>; Mon, 06 Nov 2023 04:19:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1699273141; x=1699877941; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1aR4S2cyfx4/DvCXxbo+sVW3Tr+4lUsQk2UZpT5buKQ=; b=TgmXPeW1gydHL+9q6uSvp6rAVNf1+nnv80m9MqMkydywh/mP4QeWqLTqKzDPhK/5hM yW4ms/kbYFValwge38nyMLekjNdryUCYPD5q6eBM82LkQVe29xaxL5Q3L/JnG7JS0DiF HkKFwN8sl9MbjbY3gaedZaDhUhTvivDejS+qiJpaafYSuIr9Jjw9dQfc0T53un5EVKDH VOmbjoUkZ7cSznb0mw4Jvz3dO7gBjD0UsmuQA/CcjpVGZZQn9+pJfdGxq/TUGmKmHd9S g8llkxjbfE3AC+FrI8U3If9FTAautc2gDVjEr6iuzWUmQ3wFpPS0932QBJmvyQ0uDb1q 9cFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699273141; x=1699877941; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1aR4S2cyfx4/DvCXxbo+sVW3Tr+4lUsQk2UZpT5buKQ=; b=JFGacLws8AINX7M53ji5eewKxFQzyowUhE5vSPQmSYlANsYXD4P05BtlDOaVAiR2+k 1wtksVjlxvvWdiFppc/Xn2LDHq5sDTuwESUsBFSEPTg0AdsMA+LZw88U3hsDLkdCac+3 +GW2nMX9yZ+3uBMNlNesTYIsXy8duDg+ySeF4JIFRTLaeCHekq6LbO7sC32JLm/2L0Mn c3FScA67rVf134PKUUVOQi6d4GNF4oB1KlDvWTXXHV1PxtUx0fnopqGPFRo3DwZMaPLr e+MCEZ0mazffEBDzMCp1IdqwbBGJaa/j2wtw9dEVL64FgmcXqKvehN22yDk5FrKJRMby P1lw==
X-Gm-Message-State: AOJu0Yyeakdi/JYOnjq6SRyu/69B06qgh/F0Umhv/7Ir98Kl6N5HaBJk UknCUxmpOFL7gqRpu1WU3Tlfqg8SoTHIuOU5Re/ujQ==
X-Google-Smtp-Source: AGHT+IGM1kwhAffNuDbjCjVHufH7xrerfSDFjEUh3n/Uq9aF4GxzDUeY2W05dM4BuvAXXNjL4SWyI1wEgW9lOBx94wI=
X-Received: by 2002:a25:bec4:0:b0:da3:f58b:80a4 with SMTP id k4-20020a25bec4000000b00da3f58b80a4mr10801754ybm.31.1699273140913; Mon, 06 Nov 2023 04:19:00 -0800 (PST)
MIME-Version: 1.0
References: <50c88604c932b712b71eb5bd8034550c@acm.org>
In-Reply-To: <50c88604c932b712b71eb5bd8034550c@acm.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 06 Nov 2023 04:18:24 -0800
Message-ID: <CABcZeBPBqXEvXV6E1NRSw4hLjZ7UWOFA2bXT-cgC6udG5TMNQA@mail.gmail.com>
To: Cory Francis Myers <cfm@acm.org>
Cc: hrpc@irtf.org
Content-Type: multipart/alternative; boundary="000000000000f0dc2f06097adbd6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/PiVL2q4xD43ODOLtK8Ejd6G0EHs>
Subject: Re: [hrpc] from “Security Considerations” to “Threat Model Considerations”?
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 12:19:06 -0000

On Mon, Nov 6, 2023 at 3:46 AM Cory Francis Myers <cfm@acm.org> wrote:

> The requirement for a “Security Considerations” section originates in
> RFC 2223 “Requirements to RFC Authors”.  The RFC 7322 style guide adds
> sections for IANA and internationalization considerations.
>
> draft-irtf-hrpc-guidelines (how to think about human-rights
> considerations) is not quite like RFC 3552 (how to write “Security
> Considerations” sections)—because the *need* to think about as well as
> articulate the latter is taken for granted.  What would it take to:
>
> 1. Add a “Human Rights Considerations” section?
>
> 2. Add a “Privacy Considerations” *and* a “Safety Considerations”
> section (per Stephanie Mikkelson‘s slide today on safety, privacy,
> security by design[1])?
>
> 3. Broaden “Security Considerations” into “Threat Model
> Considerations”?[2]
>
>
> I’m oversimplifying on purpose!  My goal in asking this question is to
> understand the obstacles to establishing the parity of these criteria
> with security considerations.
>

It would require a Standards Track RFC, which is to say that the work
would need to happen in IETF, not in HRPC.

With that said, I don't think it's very likely that the IETF will require
either
of these. When RFC 6793 was written there was an explicit decision not
to require Privacy Considerations in RFCs and I suspect that a Human Rights
Considerations Section would be even more difficult to come to consensus
on.

-Ekr



> If I’m retreading old or fraught ground, as I suspect I may be, I’d
> welcome pointers into the archives.
>
>
> Sincerely,
>
> Cory Myers.
>
>
> [1]:
>
> https://datatracker.ietf.org/meeting/118/materials/slides-118-hrpc-unfpa-gbv-tech-guidance-00.pdf
> (slide 15)
>
> [2]: Although this risks framing all of these considerations as strictly
> meliorative of harms, rather than affirmative protections of affirmative
> rights.
>
> _______________________________________________
> hrpc mailing list
> hrpc@irtf.org
> https://mailman.irtf.org/mailman/listinfo/hrpc
>

v2.23.0 | Report a Bug | By Email