Re: Call for Adoption: draft-pauly-httpbis-geoip-hint
Tommy Pauly <tpauly@apple.com> Mon, 05 September 2022 20:43 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62491C14CF06 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2022 13:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.329
X-Spam-Level:
X-Spam-Status: No, score=-3.329 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiUrnLOyUz5t for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2022 13:43:39 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63E1C14F606 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 5 Sep 2022 13:43:39 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1oVItf-00Dfm9-9E for ietf-http-wg-dist@listhub.w3.org; Mon, 05 Sep 2022 20:40:43 +0000
Resent-Date: Mon, 05 Sep 2022 20:40:43 +0000
Resent-Message-Id: <E1oVItf-00Dfm9-9E@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tpauly@apple.com>) id 1oVIte-00DflB-7E for ietf-http-wg@listhub.w3.org; Mon, 05 Sep 2022 20:40:42 +0000
Received: from rn-mailsvcp-ppex-lapp14.rno.apple.com ([17.179.253.33] helo=rn-mailsvcp-ppex-lapp14.apple.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tpauly@apple.com>) id 1oVItc-00BBp9-06 for ietf-http-wg@w3.org; Mon, 05 Sep 2022 20:40:41 +0000
Received: from pps.filterd (rn-mailsvcp-ppex-lapp14.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp14.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 285KPLax006833; Mon, 5 Sep 2022 13:40:23 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=EMjtqzSKg4Bhb69BV7Q9iNM6cg/gMGMeaS2S67y/G28=; b=J4nOqK8/lzDNtUT4QoCTL71VuNyK6CncNp+epE2uaxod3+NzZxTCkN5Nygig6eTNvOYM jLFbrUUT25AlXYD8ImbB3Ds8MJAISjCjeGGF7ne1hON6LRNRP1SAg21erQ/54udCf9w1 hTDwstUsIGcZ5DQzE5NQCS9vsRrDN19ZjibQcSi67N0bPrMPAlHHVlBlz+BFZW1hDhCY Hn1rhhBedcRuOHTDAnzs1pOhevjY/SfSMenCIyir4Q9yWHljvPV9RXUNBw26q8rFbQZY 6ZTDyAeuvX22qI1b5lchcS3l71dwd+OhrQ3rsxN2rJIEPKNJmAcIme/6qKddVVAzCv7u Bg==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-ppex-lapp14.rno.apple.com with ESMTP id 3jc3tbd2hw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 05 Sep 2022 13:40:23 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPS id <0RHR00QGB83B3C60@rn-mailsvcp-mta-lapp02.rno.apple.com>; Mon, 05 Sep 2022 13:40:23 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) id <0RHR00D007MT3400@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 05 Sep 2022 13:40:23 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e35a78e4c47125ab08eac8fd8a04005c
X-Va-E-CD: d3a75e3ccedb07fc4d95e4e8677dd8aa
X-Va-R-CD: 67f7ad0006524c633872630d501e65a8
X-Va-CD: 0
X-Va-ID: 045537df-0b16-4607-be0f-e662a9a8ef29
X-V-A:
X-V-T-CD: e35a78e4c47125ab08eac8fd8a04005c
X-V-E-CD: d3a75e3ccedb07fc4d95e4e8677dd8aa
X-V-R-CD: 67f7ad0006524c633872630d501e65a8
X-V-CD: 0
X-V-ID: 46c639f9-4b8b-4762-b906-ae74f29744c2
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.528,18.0.895 definitions=2022-09-05_14:2022-09-05,2022-09-05 signatures=0
Received: from smtpclient.apple (unknown [17.11.243.165]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPSA id <0RHR00CBC83B4N00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 05 Sep 2022 13:40:23 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <B7E20698-20C3-4F6C-B7D5-0C169968B3D3@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_BB80A93A-341C-4DE8-8593-5278E97DD7B5"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3730.0.21\))
Date: Mon, 05 Sep 2022 13:40:13 -0700
In-reply-to: <CA+9kkMBbzXUDTmXnp7KRXdKUTdHn5HjjDLBjwkwHYT3-yiKheg@mail.gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
To: Ted Hardie <ted.ietf@gmail.com>
References: <694DD6A2-5191-488C-8A93-FE670992204D@mnot.net> <CA+9kkMBbzXUDTmXnp7KRXdKUTdHn5HjjDLBjwkwHYT3-yiKheg@mail.gmail.com>
X-Mailer: Apple Mail (2.3730.0.21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.528,18.0.895 definitions=2022-09-05_14:2022-09-05,2022-09-05 signatures=0
Received-SPF: pass client-ip=17.179.253.33; envelope-from=tpauly@apple.com; helo=rn-mailsvcp-ppex-lapp14.apple.com
X-W3C-Hub-DKIM-Status: validation passed: (address=tpauly@apple.com domain=apple.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-8.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1oVItc-00BBp9-06 a3d72dbd6949dd7ef181dd37953e8699
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-pauly-httpbis-geoip-hint
Archived-At: <https://www.w3.org/mid/B7E20698-20C3-4F6C-B7D5-0C169968B3D3@apple.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40372
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Ted, Thanks for the comments. I appreciate where you’re coming from on this, certainly. I did want to explain the context here of why this proposal has the shape it does. The information being included in the header is the information that is already carried by the externally visible IP address presented to the server, and to that end is not designed to send any more information than would already be known to a server that has an up-to-date view of various geo IP databases. Turning it “off” would not meaningfully improve anyone’s privacy. (Ensuring that this value matches what would be known anyway and not allow clients to accidentally put more information could be discussed, etc, of course.) Instead, the fundamental goal behind the proposal is to enable improved privacy solutions that provide overall less identifying data and less location-related information to servers. The status quo is a world where most users are generally accessing websites without a proxy or a VPN, using IPs provisioned by their ISP / carrier; and servers use various proprietary geo IP database services to determine user location, often with extreme accuracy. In order to prevent implicit location tracking, we need clients to user more proxied IP addresses. In order to make the use of such IP addresses ubiquitous, the experience needs to be sufficiently good that most/all users are willing to use a proxying service. From my experience in deploying such a service, compatibility due to incorrect geo IP mappings was one of the biggest hurdles for rolling out proxying using privatized IP addresses — IP addresses that used broader location granularity than the user would have had otherwise, and allowing users to select “country-wide” anonymous IP addresses. The user experience problems range from sites showing up in incorrect languages to blocking access altogether because they think they’re from a country that isn’t served by the site. The current mechanism to rectify the situation involves a good deal of manual outreach to various geo IP database providers and website operators, asking them to update their mappings. But even this doesn’t work perfectly, since many of these databases only have a notion of city-specific IP addresses, and cannot support broader notions of state/province/country-wide IP addresses. The goal is to make it easier and faster (in time) for more privacy-oriented proxying services to come up and deploy usable solutions, without requiring the resources to evangelize and update a myriad of databases and perform outreach to site operators. The proposed mechanism does this by: - Enabling proxied IP address information to be used without being gated by geo IP provider updates - Ensuring that broader (country-wide, etc) mappings get through without being incorrectly translated into city-specific addresses - Not sharing more information than is already available based on the IP It’s of course acceptable to not want to touch this topic, but my concern is that not addressing the myriad of privacy and usability issues in the status quo situation (partly due to a lack of standardized mechanisms) will mean that it remains too difficult to deploy new services that are aimed at helping users not have their location and identity tracked. Thanks, Tommy > On Sep 5, 2022, at 5:38 AM, Ted Hardie <ted.ietf@gmail.com> wrote: > > Hi Mark, WG colleagues, and fans of Geographic Privacy, > > On Mon, Sep 5, 2022 at 7:47 AM Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net>> wrote: >> At IETF 114, we saw some interest in adding hints about the client's location to requests in certain circumstances, with the condition that it be done in a way that doesn't compromise privacy. >> >> My sense (as Chair) is that further discussion might result in a solution that's broadly acceptable, or it might conclude that we can't publish anything. However, we need a focal point for that discussion. One potential starting point would be the draft presented: >> https://datatracker.ietf.org/doc/draft-pauly-httpbis-geoip-hint/ >> >> As always, if we adopt this draft it will be a starting point; it may change considerably, and consensus on any remaining content will need to be confirmed. I'll add one more proviso: if we can't come to consensus on a solution with appropriate properties (especially, privacy), we won't move the document forward. >> >> Please indicate whether you support adopting this draft. The Call for Adoption will end in two weeks. >> > > I do not support starting the discussion with this draft. If the working group would like to start a discussion on it, it should start with BCP 160/RFC 6280 and work out what architecture it wants to build. The header format is a trivial piece to that puzzle and it can come much, much later. As many people who went through GeoPriv could tell you: > > Information on location which is sent by a client can be combined with other information in ways that many find startling and it is often redistributed in ways that people find distressing. Starting a new "client sends geolocation info" project in a climate in which geolocation data is currently being used to target soldiers, pregnant women, and members of the LGBTQ community has to start from the recognition that turning this off and being sure it is off is job one. I see no evidence of that awareness in this draft, despite my utter faith in Tommy and David's goodwill here. Despite that faith, the optics are _terrible_ , and adopting it without some attention to this is unconscionable. If you think that the use of a specific VPN and a provided GeoLocation of Alabaster, AL by the client doesn't cause privacy concerns, I have a statue of Vulcan, currently located in Birminghan, AL, that I'd like to sell; it's quite handsome, and think you'll find it's good value for the money. > > Once you get such an architecture, you need to recognize that information provided by clients is often not trusted, and the use of trusted location providers to associate location with a client is thus common in some contexts. You need to decide very early on whether this architecture will ever allow third parties to provide the location and, if so, how (e.g. by providing a signed object that the client can include). Otherwise I can claim to be in Alabaster to get around the GDPR restrictions that US companies have placed on their data. (While I see that the draft's security considerations touch on this, I have absolutely no faith at all in the "use this, but not for access control decisions" language being honored in the breach.) > > Lastly, I will point out that this relies on a document that went through the independent stream and requires adherence to its feed format and references those feeds within this format. Some thought as to why it had to go to the independent stream might be worth the attention of the authors. > > In short, I oppose this, and I think the working group should simply avoid work in this area completely; it is fraught with pitfalls. If you must do work in the area, start from the right place, which is a privacy-preserving architecture. Get to the header format at the *end* of that process. > > best regards, > > Ted Hardie > > > > > > > >> Cheers, >> >> >> -- >> Mark Nottingham https://www.mnot.net/ >> >>
- Call for Adoption: draft-pauly-httpbis-geoip-hint Mark Nottingham
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Ted Hardie
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Stephen Farrell
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Tommy Pauly
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Martin Thomson
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Ted Hardie
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Poul-Henning Kamp
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Rafal Pietrak
- Re: Call for Adoption: draft-pauly-httpbis-geoip-… Mark Nottingham