Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 05 December 2013 12:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB491ADF99; Thu, 5 Dec 2013 04:40:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-bFZMXJ64Wc; Thu, 5 Dec 2013 04:40:48 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB761ADFA1; Thu, 5 Dec 2013 04:40:48 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0773CBEC3; Thu, 5 Dec 2013 12:40:44 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOzGl+WhXeGT; Thu, 5 Dec 2013 12:40:43 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D54CEBE3F; Thu, 5 Dec 2013 12:40:43 +0000 (GMT)
Message-ID: <52A0744C.8030501@cs.tcd.ie>
Date: Thu, 05 Dec 2013 12:40:44 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Josh Howlett <Josh.Howlett@ja.net>
References: <290E20B455C66743BE178C5C84F1240847E5103799@EXMB01CMS.surrey.ac.uk> <2C66A416-5F07-4803-A4C0-BB61734BA42E@nominum.com> <CEC5F4B3.1282E%Josh.Howlett@ja.net> <52A05F05.3040506@cs.tcd.ie> <CEC61354.1290C%Josh.Howlett@ja.net>
In-Reply-To: <CEC61354.1290C%Josh.Howlett@ja.net>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: perpass <perpass@ietf.org>, IETF Discussion <ietf@ietf.org>
Subject: Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 12:40:51 -0000

Josh,

On 12/05/2013 12:28 PM, Josh Howlett wrote:
> Hi Stephen,
> 
> I absolutely agree that the technical work is necessary, but it is not
> sufficient.

So you agree this draft is necessary? If so, good.

Nobody (sensible) claimed it was sufficient by itself to stop
pervasive monitoring. It can nonetheless improve the Internet
in any case, both when considering the pervasive monitoring
threat and other threats. If e.g. the UTA WG is chartered later
today then what they're going to do, which is directly spurred
by this overall discussion, could significantly improve e.g. SMTP
security.

> The political environment controls the legal and regulatory environment
> within which CEOs, their lawyers, and the other minions whose role is to
> minimise corporate risk exposure, take the decisions on which products and
> services reach the market.
> 
> The technical community can obviously choose to do the work regardless,
> but in the absence of conformant products and services it runs the risk of
> being a paper exercise.

That seems to apply to any new work that anyone does in the
IETF and is not a reason to do nothing.

> I am sympathetic to your argument that the technical work could happen in
> advance of policy, 

That is not my argument. The technical work should happen and
for technical reasons.

> but that hands the advantage to the adversary who can
> use this intelligence to advance blocking political measures.

Game theory is fun, but not particularly productive for this
draft IMO. That'd be more relevant for specific bits of
protocol work where it might be the case that one could consider
how an adversary could react to a particular mitigation for
this or other threats. At the level of this draft I don't think
there's anything useful to be done in that respect.

Cheers,
S.

> 
> I also agree that it is unfortunate that none of the numerous acronyms
> that claim to have a remit in Internet policy are working with the
> technical community. In the majority of the capitols of Europe there is
> clearly a political appetite to roll pervasive monitoring back, and these
> acronyms would be pushing on an open door (and, in fairness, perhaps they
> already are but it is not obvious to the outside world). It is not far
> from Geneva to Brussels...
> 
> Josh.
> 
> On 05/12/2013 11:09, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:
> 
>>
>> Josh,
>>
>> On 12/05/2013 10:53 AM, Josh Howlett wrote:
>>>
>>> I fully support action to increase security, where it responds to the
>>> prevailing threat environment. But it will be a perpetuation of the
>>> naivety that has characterised this debate to think that this alone will
>>> halt pervasive monitoring, because the threat is not technical in
>>> nature.
>>
>> Personally, I think anyone using the argument that "you can't solve
>> the problem therefore do nothing" is talking about the same amount
>> of nonsense as anyone who says "the IETF can halt pervasive monitoring."
>>
>> You don't quite say either of those above, but neither do you
>> acknowledge that the draft in question, and all the sensible discussion
>> (which is far from all the discussion;-) around that fully acknowledges
>> that the technical things that can and should be done are only part
>> of the story.
>>
>>> The technical response must be coordinated with a political response, or
>>> else the perpetrators will find political means to route around the
>>> technical measures.
>>
>> I disagree with "must be coordinated" for various reasons.
>>
>> Given the time it takes for us to do our part, which is measured
>> in years before we get good deployment, imposing a requirement
>> to start with coordination would mean doing nothing ever.
>>
>> Secondly, with whom would we coordinate? Again, trying to impose
>> a requirement for coordination with a non-existent Internet-wide
>> political entity is tantamount to doing nothing.
>>
>> If some other folks outside the IETF are working on the same
>> issues that'll be good or bad, and for some such activities it'll
>> be useful for us to know about and consider them. And maybe it'll
>> be useful for others to know what we're up to, but we should
>> not wait.
>>
>>> The political response shouldn't be organised within the IETF, but it
>>> does
>>> need to liaise with those responsible for doing that.
>>
>> "The" political response? You expect only one? Again, I don't
>> think we should hang around waiting - we should document the
>> consensus from Vancouver and then follow that through in our
>> normal work within working groups and elsewhere - considering
>> threats, including this one, as we develop protocols.
>>
>>> Unfortunately I am
>>> not observing any movement by any of the other parties within our
>>> wonderful multi-stakeholder system that you would think would be
>>> notionally responsible for this. My fear is that they are opting to
>>> drink
>>> the technology Kool-Aid, to avoid grasping the political nettle. That is
>>> what should be concerning us right now.
>>
>> Fully disagree. Its us should be grasping nettles and working
>> to improve the security and privacy properties of our protocols.
>>
>> Regards,
>> S.
>>
> 
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
> not-for-profit company which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
> 
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
> 
>