Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

On 12/05/2013 02:41 PM, Josh Howlett wrote:
> Stephen,
> 
> Yes I agree its necessary, but its not the hard part of the problem.
> We are focusing on implementation detail, 

Great, I think we agree on that, maybe with slightly
different emphases.

> at the expense of the meaty
> political problems; namely, (1) establishing the level of monitoring
> civil society is willing to tolerate (on the spectrum none to
> pervasive) and (2) building whatever legislative consensus is
> necessary to enforce that. 

Those may be good things for folks to do in various other
places, but I don't think they're for the IETF to do.

Cheers,
S.

> Moving straight to (3) the solution space
> may deliver specs and running code, but not the motivations to deploy
> it (or worse, incentives not to). I applaud the effort, even if it
> only serves to incrementally improve on the status quo, but given
> your adversaries I fear it is already doomed before it has started.
> Seriously, best of luck anyway :-)
> 
> Josh. ________________________________ From: Stephen
> Farrell<mailto:stephen.farrell@cs.tcd.ie> Sent: ‎05/‎12/‎2013 12:41 
> To: Josh Howlett<mailto:Josh.Howlett@ja.net> Cc:
> perpass<mailto:perpass@ietf.org>; IETF
> Discussion<mailto:ietf@ietf.org> Subject: Re: [perpass] Commnets on
> draft-farrell-perpass-attack-00 was RE:
> perens-perpass-appropriate-response-01
> 
> 
> Josh,
> 
> On 12/05/2013 12:28 PM, Josh Howlett wrote:
>> Hi Stephen,
>> 
>> I absolutely agree that the technical work is necessary, but it is
>> not sufficient.
> 
> So you agree this draft is necessary? If so, good.
> 
> Nobody (sensible) claimed it was sufficient by itself to stop 
> pervasive monitoring. It can nonetheless improve the Internet in any
> case, both when considering the pervasive monitoring threat and other
> threats. If e.g. the UTA WG is chartered later today then what
> they're going to do, which is directly spurred by this overall
> discussion, could significantly improve e.g. SMTP security.
> 
>> The political environment controls the legal and regulatory
>> environment within which CEOs, their lawyers, and the other minions
>> whose role is to minimise corporate risk exposure, take the
>> decisions on which products and services reach the market.
>> 
>> The technical community can obviously choose to do the work
>> regardless, but in the absence of conformant products and services
>> it runs the risk of being a paper exercise.
> 
> That seems to apply to any new work that anyone does in the IETF and
> is not a reason to do nothing.
> 
>> I am sympathetic to your argument that the technical work could
>> happen in advance of policy,
> 
> That is not my argument. The technical work should happen and for
> technical reasons.
> 
>> but that hands the advantage to the adversary who can use this
>> intelligence to advance blocking political measures.
> 
> Game theory is fun, but not particularly productive for this draft
> IMO. That'd be more relevant for specific bits of protocol work where
> it might be the case that one could consider how an adversary could
> react to a particular mitigation for this or other threats. At the
> level of this draft I don't think there's anything useful to be done
> in that respect.
> 
> Cheers, S.
> 
>> 
>> I also agree that it is unfortunate that none of the numerous
>> acronyms that claim to have a remit in Internet policy are working
>> with the technical community. In the majority of the capitols of
>> Europe there is clearly a political appetite to roll pervasive
>> monitoring back, and these acronyms would be pushing on an open
>> door (and, in fairness, perhaps they already are but it is not
>> obvious to the outside world). It is not far from Geneva to
>> Brussels...
>> 
>> Josh.
>> 
>> On 05/12/2013 11:09, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
>> wrote:
>> 
>>> 
>>> Josh,
>>> 
>>> On 12/05/2013 10:53 AM, Josh Howlett wrote:
>>>> 
>>>> I fully support action to increase security, where it responds
>>>> to the prevailing threat environment. But it will be a
>>>> perpetuation of the naivety that has characterised this debate
>>>> to think that this alone will halt pervasive monitoring,
>>>> because the threat is not technical in nature.
>>> 
>>> Personally, I think anyone using the argument that "you can't
>>> solve the problem therefore do nothing" is talking about the same
>>> amount of nonsense as anyone who says "the IETF can halt
>>> pervasive monitoring."
>>> 
>>> You don't quite say either of those above, but neither do you 
>>> acknowledge that the draft in question, and all the sensible
>>> discussion (which is far from all the discussion;-) around that
>>> fully acknowledges that the technical things that can and should
>>> be done are only part of the story.
>>> 
>>>> The technical response must be coordinated with a political
>>>> response, or else the perpetrators will find political means to
>>>> route around the technical measures.
>>> 
>>> I disagree with "must be coordinated" for various reasons.
>>> 
>>> Given the time it takes for us to do our part, which is measured 
>>> in years before we get good deployment, imposing a requirement to
>>> start with coordination would mean doing nothing ever.
>>> 
>>> Secondly, with whom would we coordinate? Again, trying to impose 
>>> a requirement for coordination with a non-existent Internet-wide 
>>> political entity is tantamount to doing nothing.
>>> 
>>> If some other folks outside the IETF are working on the same 
>>> issues that'll be good or bad, and for some such activities
>>> it'll be useful for us to know about and consider them. And maybe
>>> it'll be useful for others to know what we're up to, but we
>>> should not wait.
>>> 
>>>> The political response shouldn't be organised within the IETF,
>>>> but it does need to liaise with those responsible for doing
>>>> that.
>>> 
>>> "The" political response? You expect only one? Again, I don't 
>>> think we should hang around waiting - we should document the 
>>> consensus from Vancouver and then follow that through in our 
>>> normal work within working groups and elsewhere - considering 
>>> threats, including this one, as we develop protocols.
>>> 
>>>> Unfortunately I am not observing any movement by any of the
>>>> other parties within our wonderful multi-stakeholder system
>>>> that you would think would be notionally responsible for this.
>>>> My fear is that they are opting to drink the technology
>>>> Kool-Aid, to avoid grasping the political nettle. That is what
>>>> should be concerning us right now.
>>> 
>>> Fully disagree. Its us should be grasping nettles and working to
>>> improve the security and privacy properties of our protocols.
>>> 
>>> Regards, S.
>>> 
>> 
>> 
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited,
>> a not-for-profit company which is registered in England under No.
>> 2881024 and whose Registered Office is at Lumen House, Library
>> Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
>> 614944238
>> 
>> _______________________________________________ perpass mailing
>> list perpass@ietf.org 
>> https://www.ietf.org/mailman/listinfo/perpass
>> 
>> 
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>  not-for-profit company which is registered in England under No.
> 2881024 and whose Registered Office is at Lumen House, Library
> Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
> 614944238
> 
> _______________________________________________ perpass mailing list 
> perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
>