IETF Logo Mail Archive

Re: [saag] [Pearg] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?

Tony Rutkowski <trutkowski.netmagic@gmail.com> Thu, 05 January 2023 11:59 UTC

Return-Path: <trutkowski.netmagic@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA7EC14CE5C; Thu, 5 Jan 2023 03:59:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffSRRKwMQA7u; Thu, 5 Jan 2023 03:59:29 -0800 (PST)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2756C14CE38; Thu, 5 Jan 2023 03:59:29 -0800 (PST)
Received: by mail-qt1-x836.google.com with SMTP id i20so29702743qtw.9; Thu, 05 Jan 2023 03:59:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:references:cc:to:content-language:subject:reply-to :user-agent:mime-version:date:message-id:from:from:to:cc:subject :date:message-id:reply-to; bh=ABIyJPfYjiPEwb8qtzMJmQJs3bx142kgAlRVCnxBlss=; b=PkpNa0biTivyD5n7yQWeGWmOi+G0OgHI/42XPUc36PwbrnzDaQ/7rcJjvQKi06nfmx bPDHE2BeaoVIsQvEL1Y1hyL2VVnBz3KfTu5JIfqUMKGB09XX2Z/MiftJjKMt/mj4lfsq 9CCftqOmQeL0XRsz4qliBaFCaI46YmuPFBM3v6Afusgxr8xqKiDB8WRbpCrIizRSsfWm Lv4dhmuotg6Q/xH3NOc6tkjLzY2+ZGMVmQgN51/naIfbr+CNr//HqItHzmNO9/Uec2Y4 VhwBaBSnQEMdzxRiq6xK7ibES3hxjKv6zOJped3/ltUaTG+FfzliLXR0Sn4DEnmkfT9B v17g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:references:cc:to:content-language:subject:reply-to :user-agent:mime-version:date:message-id:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ABIyJPfYjiPEwb8qtzMJmQJs3bx142kgAlRVCnxBlss=; b=PzZjpXBbogJzqDsCrSf1KR+kfAMBEWGPF8CwSi+G7040wZFRRymzPBmogorrPtoKmp VMPQJFHEkpBoD8LO8Qq6oWfQQ4W8eYY5iON+HHlLY/udcdsbMMye4rZKvx2BnSks9nGY 7J9BPsUWghcNs4lLKubvbmhbWS3/86ekRdgL63QsYZdQgyHbeyHK4Ok5N/T9rJVtwLwk whPhz8Wat5IU8Ge1jKQVuHM7F5om+F6z2FoCjl2RQapfkgl9v+bk/lWPevFQ+bWYD5/X um2+FoylgUUWz95f5Tfeb4LPOuMBI7XO9r0WxfX/T8kvoU0R9TD0aUNjLhQYefLaHp83 o5TQ==
X-Gm-Message-State: AFqh2kpa2LtZNyniKfLI3/rMEMqJBoW73b/W1PVE7exo0YW6aLimD1GW YQAaJmPmEWU17bUlJ8ZhWxY=
X-Google-Smtp-Source: AMrXdXt6yi7DdIKHZQru0UZK6YS1iMrnZN8DidVDPYs7tCcjj4XifASihZZSrLbRRT61mn1/4lgaXA==
X-Received: by 2002:a05:622a:4c08:b0:3a7:f599:9c6c with SMTP id ey8-20020a05622a4c0800b003a7f5999c6cmr73674230qtb.26.1672919968650; Thu, 05 Jan 2023 03:59:28 -0800 (PST)
Received: from [192.168.1.249] (pool-70-106-222-156.clppva.fios.verizon.net. [70.106.222.156]) by smtp.gmail.com with ESMTPSA id u15-20020a37ab0f000000b006fafc111b12sm25176094qke.83.2023.01.05.03.59.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 05 Jan 2023 03:59:28 -0800 (PST)
From: Tony Rutkowski <trutkowski.netmagic@gmail.com>
X-Google-Original-From: Tony Rutkowski <trutkowski@netmagic.com>
Content-Type: multipart/alternative; boundary="------------PKeiMSEJwvaIShM0kPOFEzmh"
Message-ID: <560fae4b-8624-f4ff-63a9-78e4362a5939@netmagic.com>
Date: Thu, 05 Jan 2023 06:59:27 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Reply-To: trutkowski@netmagic.com
Subject: Re: [saag] [Pearg] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
Content-Language: en-US
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Ted Hardie <ted.ietf@gmail.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>
Cc: saag <saag@ietf.org>, "pearg@irtf.org" <pearg@irtf.org>, "ietf@ietf.org" <ietf@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>
References: <HE1PR0701MB305098F652DBC34E3C40810B89F49@HE1PR0701MB3050.eurprd07.prod.outlook.com> <764163366.39904.1672842828297@appsuite-gw2.open-xchange.com> <CABcZeBNA_nJ2waQVENUvEXro91wAYOcH0ZxWqbLH4hoKcGkosw@mail.gmail.com> <9658281.42904.1672912808774@appsuite-gw2.open-xchange.com> <CA+9kkMBLiijcAyLYn_6h8z3N00EDaxdP=f7P2-qUt4Bn1iSWEg@mail.gmail.com> <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/NGASNfn3gF6QuTAcUIxFJJ19vRI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IETF-Discussion. This is the most general IETF mailing list, intended for discussion of technical, procedural, operational, and other topics for which no dedicated mailing lists exist." <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2023 11:59:34 -0000

With NIS2 coming now coming into force, and the CRA being finalized, 
sorting out some of the threats is underway, although there are now 50 
relevant EU Directives and 55 EU Regulations in force with 16 coming 
into force in 2023 at present count...plus an assortment of Decisions 
and Resolutions that all effect electronic communication mandates.  Most 
of them have extraterritorial application.  In the real world, there are 
many competing requirements, and as Meta recently found out, with 
significant adverse consequences for non-compliance.  It is worth noting 
that while this list resides in the IETF domain, there are several 
hundred standards bodies - many of which are far larger, encompassing 
more of industry, and more relevant than the IETF. So to borrow a Clint 
Eastwood phrase, a venue has got to know its limitations.

--tony r

On 1/5/2023 6:13 AM, John Mattsson wrote:
>
> Agree that there is not a single threat, and I don’t think it is so 
> important to determine which one of the threats that are the biggest. 
> The last 10 years IETF has been quite good at securing transit (which 
> is great and something we should celebrate) while at the same time 
> mostly ignoring endpoint threats. As Vittorio writes, this poses a 
> risk to damage IETF’sreputation. Assuming that endpoints are not 
> compromised, not malicious, and that the interests align with the 
> interests of the end-users feels quite outdated with today’s zero 
> trust principles.
>
> Cheers,
> John
>
> *From: *Ted Hardie <ted.ietf@gmail.com>
> *Date: *Thursday, 5 January 2023 at 11:36
> *To: *Vittorio Bertola <vittorio.bertola@open-xchange.com>
> *Cc: *Eric Rescorla <ekr@rtfm.com>, John Mattsson 
> <john.mattsson@ericsson.com>, ietf@ietf.org <ietf@ietf.org>, 
> hrpc@irtf.org <hrpc@irtf.org>, pearg@irtf.org <pearg@irtf.org>, saag 
> <saag@ietf.org>
> *Subject: *Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), 
> is IETF keeping its promises?
>
> A quick response in-line.
>
> On Thu, Jan 5, 2023 at 10:00 AM Vittorio Bertola 
> <vittorio.bertola=40open-xchange.com@dmarc.ietf.org> wrote:
>
>         Il 04/01/2023 20:33 CET Eric Rescorla <ekr@rtfm.com> ha scritto:
>
>             I still think this was a big fail; in fact, this implies
>             that counteraction against surveillance capitalism
>             practices can only happen elsewhere, at the regulatory
>             level, as the IETF community either does not know what to
>             do about it, or does not want to do anything about it.
>
>         I don't think this is true at all.
>
>         First, the IETF *is* working on issues around privacy and
>         preventing various forms of surveillance capitalism. That's in
>         part what initiatives like DoH, QUIC, TLS 1.3, ECH, OHAI,
>         MASQUE etc. are about.
>
>     Of course you will disagree with what I am going to say, but here
>     is the common (though not unanimous) viewpoint from the technical
>     policy community of a different part of the world - no offense
>     implied.
>
>     In Europe, "surveillance capitalism" is basically synonymous with
>     a set of a few very big American companies that happen to be the
>     ones promoting and deploying the standards you mention.
>
> First, I'm not sure that it is reasonable to assume that there is a 
> single European position on anything. Brussels is not Lisbon and 
> neither is Oslo or Budapest.  And within each of those, academics, 
> regulators, and civil society may have different opinions.  As in the 
> US, there are folks cheering for DoH and people opposed; there are 
> people delighted with OHAI and folks depressed about it.
>
> Second, I think we have to be careful to talk as if there is a single 
> threat model here.  At least one of the threat models is truly about 
> pervasive surveillance, which reflects an updated understanding that 
> an attacker may be omnipresent across the network and thus able to 
> correlate activities that a sender or receiver previously assumed 
> could not be linked. That's what RFC 7624, Section 5 described.   Many 
> of the key characteristics of protocols like QUIC were designed with 
> this threat model in mind; they provide increased confidentiality on 
> the wire. Because that threat model is focused on observation, rather 
> than the capabilities of the parties, it has little to do with 
> concerns that a small set of players is a party to many different 
> sorts of communications.  That's a different threat, and some of the 
> work to address it, like OHAI, starts from very different principles 
> as a result.
>
> Both amongst ourselves and when talking to those working in policy 
> circles, I think it is very important to be clear on what threat we 
> perceive and what responses target that.   Lumping all the threats and 
> all the responses together makes it difficult to see the progress that 
> has been achieved and even more difficult to identify where work still 
> needs to be done.
>
> Just my personal opinion, of course,
>
> regards,
>
> Ted Hardie
>
>     So, it will be hard to convince people in Brussels or Berlin that
>     those standards are meant to put the business model of their
>     proponents under check. Actually, they are more likely to lead to
>     the conclusion that the IETF is being used as an instrument to
>     further that business model, and that the encrypted network
>     architecture that it is promoting is meant to disempower end-users
>     and any other party (including European law enforcement and
>     privacy authorities) from checking what the endpoints do, which
>     information they send and who they send it to, facilitating
>     uncontrolled data extraction practices by the private companies
>     that mostly control the endpoints, i.e. the above ones.
>
>     There is a general feeling that the bigger threats to user privacy
>     are now not in transit, but in or before the endpoints. So, the
>     fact that the IETF does not want to consider threats in the
>     endpoints is seen as additional evidence for the above.
>
>     -- 
>
>     Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
>     vittorio.bertola@open-xchange.com  
>     Office @ Via Treviso 12, 10144 Torino, Italy
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email