Re: [saag] Scope of draft-knodel-e2ee-definition

[Christopher Wood <caw@heapingbits.net>]

> On May 12, 2023, at 10:50 AM, Mallory Knodel <mknodel=40cdt.org@dmarc.ietf.org> wrote:
> 
> On 4/24/23 10:29 PM, Black, David wrote:
> 
>> Picking up on a response to EKR that it looks like he didn’t follow up on:
>>  
>> >> The text here seems extremely focused on Instant Messaging-type
>> >> applications and doesn't fit well with other protocols, even when they
>> >> provide end-to-end encryption. Either it should be scoped down to
>> >> Messaging or it should be adjusted to be more broadly applicable.
>> > 
>> > What other protocols does it not fit with? Wouldn't the same apply to
>> > video conferencing, audio streams, file exchange protocols, etc? Do
>> > you have an example of a protocol that falls outside the scope of
>> > this document?
>>  
>> The draft generally assumes that “users” are accessing “messages” that are transmitted via the protocol, which is a scope-limiting assumption.
> Yes-- messages + video + audio + media + email.


If that’s the case — and things like TLS are out of scope — then the intro could probably use some work. Specifically, in this paragraph:

   End-to-end encryption is an application of cryptography mechanisms and properties in communication systems between endpoints. End-to- end encrypted systems are exceptional in providing both security and privacy properties through confidentiality, integrity and authenticity features for users. Improvements to end-to-end encryption strive to maximize the user's security and privacy while balancing usability and availability. Users of end-to-end encrypted communications expect trustworthy providers of secure implementations to respect and protect them.

An endpoint could be a TLS client or server, for example. If the goal is to restrict this to E2EE at the application layer with things like messaging, video, etc, using keys that are known to human users, then the intro should likely be rewritten to sharpen and clarify this scope.

Best,
Chris