Re: A question about user tracking with QUIC

[Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>]

Hi, Lucas,

On Mon, Jun 7, 2021 at 9:19 PM Lucas Pardue <lucaspardue.24.7@gmail.com>
wrote:

> Hey Spencer, Christian,
>
> On Tue, Jun 8, 2021 at 2:58 AM Christian Huitema <huitema@huitema.net>
> wrote:
>
>>
>> On 6/7/2021 6:50 PM, Spencer Dawkins at IETF wrote:
>>
>> Hi, Lucas,
>>
>> On Mon, Jun 7, 2021 at 4:22 PM Lucas Pardue <lucaspardue.24.7@gmail.com> <lucaspardue.24.7@gmail.com>
>> wrote:
>>
>>
>> Hi,
>>
>> Speaking as an individual.
>>
>> Through the lens of server-side observation and linking of clients, I
>> think Christian makes astute observations on some common concerns and
>> QUIC-specific ones. Roy too makes some great additional observations about
>> the context of discussion.
>>
>>
>> Agreed. Very helpful.
>>
>>
>>
>> It seems to me this topic might well do with some time to draw out the
>> considerations for documentation. However, the applicability draft is
>> already through a second round of WGLC, and that timeline seems too tight
>> for inclusion of such considerations. I would seem to me that the PEARG
>> (Privacy Enhancements and Assessments Research Group) [1] is ideally suited
>> towards housing effort on deeper/broader analysis of privacy aspects of
>> protocol evolution (I might even stick a note in for multipath TCP as
>> something that moves the needle on privacy of "legacy" application
>> protcols).
>>
>>
>> Ignoring the question of PEARG interest in this topic for now, I'm assuming
>> that these observations would likely end up in an Informational RFC, is
>> that right?
>>
>> An IRTF RG can publish Informational and Experimental RFCs, but not BCPs or
>> standards-track documents that must be published in the IETF stream, so
>> that would be an important question to answer early.
>>
>> That.
>>
>> The IRTF is not the IETF. IRTF research groups are best for analyzing
>> difficult research issues. But if we end up doing something like "privacy
>> considerations for QUIC clients", IMHO that belongs in the IETF, not the
>> IRTF.
>>
>
> Not disagreeing with either of you here. Although perhaps I was thinking
> more broadly that QUIC-specific concerns, and something more like "privacy
> considerations of long-lived and resumable connections for protocol design
> and user agents". This to me would appear to me to fit some of PEARG's
> charter goals such as: "Formulate better models for analyzing and
> quantifying privacy risks", "Offer guidance on the use of emerging
> techniques and new uses of existing ones", and "engage with other
> organisations e.g. PETS, SOUPS, W3C and the Privacy Interest Group
> therein". Others could disagree with me, and I'd encourage them to express
> an opinion so we can figure it all out. I guess I was speculating that the
> process of work in an RG might actually help us determine the right type of
> text (if anything) that should be written for affected protocols. That
> could provide input into concrete consideration for protocol designers or
> deployers, best written in an IETF WG. The best place for QUIC work is this
> WG.
>

This all seems very reasonable to me. The other question is about timing -
how urgent do people think this guidance is?

Christian characterized "if you don't want to be tracked when you migrate,
you probably shouldn't migrate" as a classic mitigation, and I'm also
wondering if we still have the classic level of concern about traceability.
If our level of concern has been increasing, that might make things more
urgent. But as you said, it's good for us to encourage other people to
express an opinion.

Best,

Spencer


> Cheers,
> Lucas
>