Re: Review of draft-hardie-privsec-metadata-insertion-05
Ted Hardie <ted.ietf@gmail.com> Tue, 07 February 2017 21:25 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445711295D5; Tue, 7 Feb 2017 13:25:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rp6QPhSJ9yWs; Tue, 7 Feb 2017 13:25:17 -0800 (PST)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44EF41294E4; Tue, 7 Feb 2017 13:25:17 -0800 (PST)
Received: by mail-qt0-x22d.google.com with SMTP id w20so142603013qtb.1; Tue, 07 Feb 2017 13:25:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6tDw1+v982SFpHTSQV1kbUCiEVF9RiYVPSaGGV23X3k=; b=EaJqQVEHIg1q9pKPKypnAorJdhenBPgNjdhcPIy4L8Iied9N9EvCdQJ6Zfy0S1qkS8 M3mCGiFXzYfJ2nvlEpp7Wb9TjcZpHI6PXyPHexo2Gt0dfdT5BcL29FzbIXA1XyWfREGR tKJKxJk36rB5Wv3Bi6+WsHFlYrhgUQdg5N1q9WyCmN5vTR8Jk0Sk7x48xJ883PXOaWER C63jZtZwfvAH0UOXQqCl4E+/IeourhOE75Na18mZA10wcxecD81a8Nbpc3fHp45DYapm xdR80ozpUUCHq3Ji7MO4K6idkc2WJCCzVoliiHYVD1W3ppXLuzx9OlpbCuIk/DDHKN3K ifHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6tDw1+v982SFpHTSQV1kbUCiEVF9RiYVPSaGGV23X3k=; b=jPKBdvRysqU2Q3W/2Xq6f3A9rDx9mrLJsdlgynEJoN5FYLQzCvNM9wQzf4yuW/67Pl WteEpP78zO4AW+NQ32XJmq1HnUz5XzlCWc3CaZi0OluvqFUxmouXbLZYYktbXINZrA+d HKwPhnp0Q/DZhcwuRyylDhuYlPDEaYG5XreZ2K35PDVs2tpGqQ3UoMWupFYqEUh0ERg8 nE+qMUtPPC2n+eDGpCXrndhiN71q9qg2Ee/C04cs0ptu0Xf3fagKzIzSQgWtvmJqpxXJ 4wnG3HV3oM7kz4E0a8Xcimh2xOhVPrXV94SF82XBfWc+ul0D2ar2rZyePwLlHmJoPSei GbCg==
X-Gm-Message-State: AMke39nPhBhlE3dO4X8vwkPL5M2Ey8WfHwZur43lXawB06vG78MW3kJ9q+QpZJiuUDM2OG/1XzgkrGQQ3G/oaw==
X-Received: by 10.237.35.130 with SMTP id j2mr18360527qtc.45.1486502716388; Tue, 07 Feb 2017 13:25:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.174.226 with HTTP; Tue, 7 Feb 2017 13:24:46 -0800 (PST)
In-Reply-To: <148649922555.26656.10191520146576198408.idtracker@ietfa.amsl.com>
References: <148649922555.26656.10191520146576198408.idtracker@ietfa.amsl.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Tue, 07 Feb 2017 13:24:46 -0800
Message-ID: <CA+9kkMCss+V2uAC9CYEQpe9FAwh3-F8EbRRCCtsgZYGhUpu=Dg@mail.gmail.com>
Subject: Re: Review of draft-hardie-privsec-metadata-insertion-05
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a113914425e47750547f762e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/-n2HAYcuClrmFFr_-ki6RbZfg4Q>
Cc: draft-hardie-privsec-metadata-insertion.all@ietf.org, IETF <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 21:25:20 -0000
On Tue, Feb 7, 2017 at 12:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > Reviewer: Yoav Nir > Review result: Has Nits > > Hi > > The document is well-written and understandable, but a few things > about it seem wrong: > > Section 3 describes data minimization as "one of the core mitigations > for the loss of confidentiality". However, the only example given > where data minimization is used to mitigate confidentiality loss is > when browsers suppress cookies in private mode. The rest of the > examples given (HTTP proxies, recursive DNS, VPN) are such where the > data minimization is incidental to some other function. Nobody > deployed the HTTP proxy or the DNS server in order to enhance > privacy. > So, I would challenge "nobody" on the HTTP proxy front, but that's not the important piece here. The important piece is they generally do have a net privacy positive effect. That privacy positive effect is eliminated when metadata that would be concealed by normal operation is added back in. That's the converse of your statement: no one built an HTTP proxy or recursive DNS server in order to supply metadata. Is there a specific place in the doc where more text would make this point clearer? > > The HTTP proxy example in particular is not convincing. HTTP is > designed to work without proxies. Any data minimization provided > incidentally by a proxy is nothing that can be counted on, I'm not sure what you mean by "counted on" here. Do you mean that you can't know the pool of other users and thus the number of times you'll be served from cache rather than getting new data? > so a > prohibition on restoring said data (especially in the case of a > server-side load balancer) is just not convincing. OTOH in DNS > recursive resolvers that hide the origin IP of the client are the norm > - Authoritative servers hardly ever get to see real addresses of > clients. In that case exposing the real IP address of the client shows > data that was not there before. > > I believe the text should differentiate between cases where a network > element is not part of the normal function of the protocol and works > to undo the accidental data minimization that it causes, So, I think "accidental" is a tricky word here. The use of a proxy or recursive resolver is generally speaking not "accidental". Data minimization is a consequence of normal operation, and what we're talking about is changing operations in order to change that data minimization. The core of the advice is that instead of changing the operation of the middlebox, change the operation of the device about which you desire data. What would make that clearer? > and cases > where the network element is expected in the protocol and thus the > minimization is expected as well. I think the prescription in the text > applies to the latter. I am not convinced about the former > > The VPN example is a strange one. If the subject is a corporate VPN, > then restoring the original IP addresses is the function of the VPN. > If, OTOH, VPN is that service that allows people to watch Hulu outside > of the US, then restoring the IP address would be counter-productive. > It is also strange to see VPN used as an example of "systems whose > primary function is not to provide confidentiality" > > Well, it does two things: shifts the network locality of the endpoint using the VPN and masks who is shifting. I believe the first is the primary function and the second a common secondary property. If you would like different language on this, though, please let me know. thanks for the review, Ted
- Review of draft-hardie-privsec-metadata-insertion… Yoav Nir
- Re: Review of draft-hardie-privsec-metadata-inser… Ted Hardie
- Re: Review of draft-hardie-privsec-metadata-inser… Yoav Nir
- Re: Review of draft-hardie-privsec-metadata-inser… Ted Hardie
- Re: [Tsv-art] Review of draft-hardie-privsec-meta… Michael Tuexen