IETF Logo Mail Archive

Re: [hrpc] [irsg] Review of draft-irtf-hrpc-guidelines-13

Jane Coffin <jane@connecthumanity.fund> Tue, 27 September 2022 08:18 UTC

Return-Path: <jane@connecthumanity.fund>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224C1C1524AE for <hrpc@ietfa.amsl.com>; Tue, 27 Sep 2022 01:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connecthumanity-fund.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4RF7aO0A6K4 for <hrpc@ietfa.amsl.com>; Tue, 27 Sep 2022 01:18:43 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7B2C1522DA for <hrpc@irtf.org>; Tue, 27 Sep 2022 01:18:42 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id n124so11073243oih.7 for <hrpc@irtf.org>; Tue, 27 Sep 2022 01:18:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connecthumanity-fund.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=ti3b3oiBpWJfFwOS245XR/M9ATp0kgKQT/SJjoG2Vzg=; b=1PttrAhzTxa4Llt5sTaQi1gJJJThNWHBup+iFX5m5CNdv1gPMGEa92WAN3SkVJLLfu XUQbtV5n7dDuyxMQjMVmrkYjpqNWtCtmmByW7YE9L/Y+jmXJrSJp5gMbfFTvC66vDwT3 FnP28PZK5mTxEW1gv91ieB1zT4CJ9u2pcgILJttPK5So3/a2wOP5vWma6j600+uX6IRv ebo6LwIS1EBbMo2ooLloIGh+pc4Fmcanswk/9t4gJB28hv1Rnek5fdPYZ6uy6cCUmdYz WaV1nREQGw20S8HHPcCxvKe6EWKIrVxGztFbozxPPsEwyYo4ENBT2xcoGYSkyR51vXZe bE8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=ti3b3oiBpWJfFwOS245XR/M9ATp0kgKQT/SJjoG2Vzg=; b=Nxad8ZvJ1gO67ZXUViwNuqxH3OVsuXB2NHB25vp22nayCnIPmdPNHZ35/LzTtqL5LA Lh8GZuweeDwwnqjdAkuZbo5Xemv502NNJVNs5P73G94q4s4+ptiz5kmzF3TqlaKxE02d RE3IxyjuFMSR2A0Tcr0EVzw4RePAK+cnxoauYUMLvQ7kU/eGTdlnDuq0j+xLINMGYwHx rn7fG4xSsWk4pP0LlPgKARLqICQ7wUdPqLY7ogafJVjoo9Caskog0ZLwhV3Tl2JYAfVN +upQM1FAhqPRePRB3CUCcdTn/1GuxEP2gWoBPhsKsp68K8Q8tbq2gA9HQH06W5Wt01qp eXDg==
X-Gm-Message-State: ACrzQf0ZlvFvj4qQxFN0LGotITiSiLdCrEgENuEHQYAMBkWFuKTEcEbE hqGPcGxzioMktvx4NOSR+OBdOZ591q0aldQx39MTGzLt7WGlyQ==
X-Google-Smtp-Source: AMsMyM7PWBcK+qSd6cb1UIgnr9vmZJMi05BueQNZ8aHOnfuQ5BkzmJcj0ZxY3UPs1k6tpcxEPbzww/7esIhHC5piN3M=
X-Received: by 2002:a05:6808:1a98:b0:34f:8b40:6263 with SMTP id bm24-20020a0568081a9800b0034f8b406263mr1228690oib.265.1664266721673; Tue, 27 Sep 2022 01:18:41 -0700 (PDT)
MIME-Version: 1.0
References: <5F4C1659-9E41-4257-AE1A-8E4937AA1997@trammell.ch>
In-Reply-To: <5F4C1659-9E41-4257-AE1A-8E4937AA1997@trammell.ch>
From: Jane Coffin <jane@connecthumanity.fund>
Date: Tue, 27 Sep 2022 11:18:30 +0300
Message-ID: <CAAk_8j0iW4Szk76_GJ1BeqRbu2HJ+pSLFv9smxVH6o81Fr9Q4Q@mail.gmail.com>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: hrpc@irtf.org, draft-irtf-hrpc-guidelines@ietf.org, irsg@irtf.org
Content-Type: multipart/mixed; boundary="000000000000c240f205e9a44a5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/_JkrV6tq16l3gcMN9ffGc4bj4Vk>
Subject: Re: [hrpc] [irsg] Review of draft-irtf-hrpc-guidelines-13
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2022 08:18:45 -0000

Hi All -

I have done a review of the HRPC guidelines doc as well.
Please see the attached.

Jane

On Thu, Sep 8, 2022 at 1:30 PM Brian Trammell (IETF) <ietf@trammell.ch>
wrote:

> Greetings, all,
>
> I've reviewed draft-irtf-hrpc-guidelines-13 for the IRSG.
>
> I believe the document is on the right track, and thank the authors and
> the RG for what has clearly been a lot of work. However, in my opinion the
> document still needs a bit more work, or at least consideration, before it
> is ready for publication as an IRTF RFC.
>
> tl;dr: section 4 is a very useful discussion, but I think the document and
> the work would benefit from a more systematic examination of the guidelines
> in section 4, which will probably lead to changes in structure more than
> changes in content.
>
> Indeed, the document is quite useful in its current state, and I quite
> enjoyed reading it. Though it claims not to be a taxonomy or an exhaustive
> study, the considerations in section 4 seem pretty thorough to me. The rest
> of my comments follow in no particular order, though I'll save purely
> editorial comments for the end.
>
> The abstract and introduction state that the document has been "reviewed,
> tried, and tested" by the RG. "Reviewed" I accept at face value, though it
> is unclear how the document was "tried and tested". Have each of the review
> categories in section 3 been run at least once by the RG/review team?
> Should the document link to some instance of each of these kinds of reviews
> (whether within the RG, or without)?
>
> Section 3 seems to be missing a recommendation about who reviewers should
> be. Is this the shepherd, someone appointed by the WG chair, a cross-IETF
> group of interested people, people with more or less familiarity with the
> specifics of the context the protocol is developed in, all or none of the
> above?
>
> Though happy with its completeness, I found myself unsatisfied with the
> structure of section 4, and I wonder whether this is an editorial issue or
> a signal of something deeper. Certain subsections of section 4 can be
> naturally grouped together -- in some cases, leading me to wonder whether
> they should be merged. Other subsections tie pretty deeply into existing
> processes (formal or cultural) within the IETF, which raises the question
> of whether the document should directly address the gaps between these
> processes and their ideal, from a human rights standpoint.
>
> Specifically:
>
> - Sections 4.1 and 4.2 are points on a continuum, basically stating that
> "if your protocol doesn't work in all contexts in which the Internet might
> be deployed, then you're disadvantaging people"... which is true, and
> stronger IMO if stated more directly. Section 4.1 is entitled
> "connectivity" but mixes the end-to-end principle with reliability under
> bandwidth and latency challenges (though Reliability is the title of
> section 4.2).
>
> - Sections 4.4 and 4.5 seem like they were originally a single section
> named Internationalization and Localization, and then were split. I'd merge
> them again, because many of the points made in one apply to the other and
> vice versa. Accessibility (section 4.18) also seems like it's following the
> same general principle -- internationalization and localization deal with
> application/presentation barriers tied to language, while accessibility in
> a protocol context deals with application/presentation barriers tied to
> mostly-nonlinguistic aspects of user experience, though in an Internet
> context accessibility generally applies to application layer protocols
> payload presentation (and the applications above them). Please consider
> treating them together.
>
> - Sections 4.6, 4.7, and 4.17 overlap quite a bit -- adaptability goes
> hand in hand with openness of standard and implementation, and adaptability
> and support for heterogeneity are also intrinsically linked. Perhaps these
> are third-level subsections of an overarching second-level subsection?
>
> - Similarly, sections 4.8-4.10 cover properties of communications security
> protocols, and then we come to section 4.11, entitled Security, and section
> 4.12 on privacy (which overlaps with Confidentiality as a property),
> followed by sections 4.13 and 4.14 on Pseudonymity and Anonymity
> (themselves privacy preserving techniques). These sections also cover
> ground covered by existing formal and informal practices in the IETF, on
> security and privacy considerations within documents. As a user of this
> document, I'd prefer this entire set of considerations to be split out into
> their own section, since unlike the other sections they do cover properties
> of the protocol and its description already covered by existing practice
> and process. What I'd like to know as an HRPC reviewer is what I need to
> look for in existing security and privacy considerations sections to find
> gaps in human rights considerations that might need to be addressed. What's
> the delta between existing S&P guidelines and those in this document?
>
> To be clear, I'm not suggesting that the authors and the RG restructure
> the document from a document usability standpoint; rather, I'm pointing out
> what appear to be structural issues in the document in case these are an
> indication that the RG's thinking on these points might be incomplete. Or,
> in other words, the RG did not set out to build a taxonomy, but having
> almost done so, is it worth finishing the job?
>
> That said, there are a couple of guidelines that stand out to me as less
> applicable, specifically:
>
> - Section 4.16 Outcome Transparency asks what appears to me to be an
> impossible question. I'm of course aware of the harms of unintended
> consequences, but I'm not sure how I, as a protocol designer, could
> usefully apply this question to my work. The only wise answer to "are the
> effects of your protocol fully and easily comprehensible...?" is "no", and
> no action I can take not involving a time machine will flip it to "yes". So
> this observation probably belongs in the frontmatter of section 4, as
> opposed to being a guideline itself. Section 4.21 is similarly difficult to
> actually apply: it seems to reduce to "have you thought of anything you
> haven't thought of yet?", which is tautologcially "no".
>
> - Section 4.20 points to an unsolved (and at first glance very difficult
> to solve) problem in providing recourse to remedy, which is an interesting
> point, but maybe not a guideline per se.
>
> Throughout section 4, I found the choice of which rights were impacted by
> which consideration to be mostly arbitrary, in that in most cases I
> couldn't come up with a convincing argument for why the impacts listed were
> tied to the guideline at hand, or a good reason why a missing impacted
> right was missing. The most glaring of these: section 4.12 "Privacy" does
> not list the "Right to Privacy" as impacted, which seems... incorrect. It's
> not clear to me that the Impacts sections are all that useful, though,
> unless someone is trying to pick and choose which human rights not to care
> about (not a use case we should optimize for, IMO), so might be painlessly
> omitted.
>
> and as promised, one editorial nit: section 3.1 appears to incorrectly
> cite section 3.3 as the source of guidelines; this should point to section
> 4.
>
> Again, many thanks for an informative, well-written, and useful document,
> and I hope these comments are similarly useful to you.
>
> Cheers,
>
> Brian
>
>

v2.23.0 | Report a Bug | By Email