[hrpc] draft-celi-irtf-hrpc-ipvc-00 (and notification aspects of authentication systems)
John Curran <jcurran@istaff.org> Fri, 31 March 2023 01:43 UTC
Return-Path: <jcurran@istaff.org>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D646EC15154C for <hrpc@ietfa.amsl.com>; Thu, 30 Mar 2023 18:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=istaff.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3bxawwpDCUa for <hrpc@ietfa.amsl.com>; Thu, 30 Mar 2023 18:43:49 -0700 (PDT)
Received: from pv50p00im-ztdg10021201.me.com (pv50p00im-ztdg10021201.me.com [17.58.6.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC5D4C14CE5F for <hrpc@irtf.org>; Thu, 30 Mar 2023 18:43:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=istaff.org; s=sig1; t=1680227028; bh=ge4GWWKbeAiZkv7K1i4q4aq/1zz0kvf/haYwnuWPGy4=; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To; b=Qanddg4rtjwuF9lQzd4seL/vrvck2NlJNKRkq0udPL6aCRqq69eZ1sKxUZHz8SEYF AH1rsKxwdMhB6uu+fgQnnzuAC8paRnU1HUmPWW4v4BRHWzT9kCq5QxQBT0in1DRY63 krg5rpQSSJXvMl6vNcijcNQZtCdxYbH4fI8VQN8f33+AlgtVd1jgmHJ4I52mTa9yHI GHjP9L61KXrljXKp98viT5LCCM6bQpUJHi0q9Ogj2rajc0BBszV954YDoU2dir+sCP qiRbKZPF87T5Bx8lAuNGqvCOVsHjNJRfO9f2NT6zKKRbKzl6jeVQtHEOQVJw6+F8Ii AIJwKq9RcoDdA==
Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-ztdg10021201.me.com (Postfix) with ESMTPSA id 13DE76803A9 for <hrpc@irtf.org>; Fri, 31 Mar 2023 01:43:46 +0000 (UTC)
From: John Curran <jcurran@istaff.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2B7886ED-EF03-4A76-80D9-B833206B369D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Message-Id: <B56A2B94-ADFF-480C-A21D-73F70B70942D@istaff.org>
Date: Fri, 31 Mar 2023 10:43:34 +0900
To: hrpc@irtf.org
X-Mailer: Apple Mail (2.3731.400.51.1.1)
X-Proofpoint-ORIG-GUID: HfCahRdpJ6yK_bRsW32ATN885lC6Hj-H
X-Proofpoint-GUID: HfCahRdpJ6yK_bRsW32ATN885lC6Hj-H
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.517,18.0.883,17.0.605.474.0000000 definitions=2022-06-21_08:2022-06-21_01,2022-06-21_08,2020-01-23_02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 mlxlogscore=773 malwarescore=0 bulkscore=0 mlxscore=0 phishscore=0 clxscore=1030 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2303310010
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/sgtxNUOoxyIANlo8fb6NrGxWlQM>
Subject: [hrpc] draft-celi-irtf-hrpc-ipvc-00 (and notification aspects of authentication systems)
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2023 01:43:53 -0000
To hrpc-ipvc drafting team (Sofia, Juliana, Mallory) – This is a most excellent document - thanks for all your work on it! Regarding the Recommendation section, I note that the document doesn’t include any mention of importance of the notification capabilities of authentication systems as a means for mitigation possible abuser use of technology. As means of example, I’d refer to the work of the National Network to End Domestic Violence (NNEDV) and Facebook in making clear possible mitigations to technology by abusers, and their publication "A guide for Survivors of Abuse” <https://nnedv.org/wp-content/uploads/2019/07/Library_TH_2018_Privacy_Safety_Facebook_Guide_Survivors_Abuse.pdf>, which calls out the usefulness of notifications in detecting misuse of technology by abusers - > Login notifications > > You can be notified, either by email or text message, if someone tries to access your account from a computer or device that you haven’t used before. > > Login approvals > > If you are logging into your account from a different web browser or device, you must have a security code to access your account. > > Recognized devices > > You can manage the devices that are allowed to have access to your account and be notified if an unknown device tries to access your account. This is particularly helpful for a survivor who may have wanted to access their account from their partner’s device, but now no longer wants that device to have access. > > Active sessions > > This is important to note because it shows sessions that are currently active or logged on. You may have active sessions if you’ve accessed your account or are using an app and forgot to log off. This also will show if someone else might have accessed your account. In that case, you can choose to ‘End Activity,’ which will block that device from continuing to access your account. > This usefulness of such controls echoed in another recent paper "A Domestic Violence Dystopia: Abuse via the Internet of Things and Remedies Under Current Law” <https://californialawreview.org/print/a-domestic-violence-dystopia-abuse-via-the-internet-of-things-and-remedies-under-current-law/#clr-toc-heading-10>. which notes implications of technology design on those facing potential abuse – "Safe design should also include automatic generation of weekly or monthly reports informing users about their data and account logins, a system notification that shows which registered user initiated the controls, and the standard of requiring that users opt into rather than out of data-sharing between members of a household. “ I’d encourage some further discussion on the list of the notification aspects of authentication systems and their potential use in mitigation of abuse via technology, and if found useful, inclusion of additional text in the authentication systems portion of the recommendations. Thanks, /John p.s. Disclaimers: my words alone – they are provided “as-is” and without any warranty or guarantee for suitability to any particular purpose.