Re: [Spud] Whats missing in SPUD (was: Re: Multipath/Mobility (was Questions based on draft-trammell-spud-req-00))
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 10 August 2015 20:32 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id A67531B3DD8
for <spud@ietfa.amsl.com>; Mon, 10 Aug 2015 13:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.81
X-Spam-Level:
X-Spam-Status: No, score=0.81 tagged_above=-999 required=5
tests=[BAYES_50=0.8, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id we8y-OiLwLfs for <spud@ietfa.amsl.com>;
Mon, 10 Aug 2015 13:32:50 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])
by ietfa.amsl.com (Postfix) with ESMTP id CB78A1B3DD4
for <spud@ietf.org>; Mon, 10 Aug 2015 13:32:49 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130])
by che.mayfirst.org (Postfix) with ESMTPSA id AE1DFF984;
Mon, 10 Aug 2015 16:32:47 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
id 649F320057; Mon, 10 Aug 2015 22:32:37 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Toerless Eckert <eckert@cisco.com>,
Christian Huitema <huitema@microsoft.com>
In-Reply-To: <20150810184444.GB16123@cisco.com>
References: <20150810184444.GB16123@cisco.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1
(x86_64-pc-linux-gnu)
Date: Mon, 10 Aug 2015 16:32:37 -0400
Message-ID: <87lhdirije.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/s-Q_UNQ9auCVa0HbivHJPP3CMcE>
Cc: spud@ietf.org
Subject: Re: [Spud] Whats missing in SPUD (was: Re: Multipath/Mobility (was
Questions based on draft-trammell-spud-req-00))
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 20:32:51 -0000
On Mon 2015-08-10 14:44:44 -0400, Toerless Eckert wrote: > "Here is your new ID card". > "Why would i want to have an ID card, everybody who checks ID cards is evil" > "You do not have to show your ID card if you don't want to" > "Lets go to the bar" > "ID card please" > "Booze or anonymity... that's the question" > "Lets choose booze" Have you ever tried to go to a bar where they require you to scan your full ID into their targeted advertising database in order to step inside for a pint with a friend? [0] They say they're asking this information for the purpose of avoiding alcohol service to underage people. The full ID scan (at least where i live) contains legal name, home address, biostats (height, weight, hair, eye color), date of birth, license number, physical impairments, etc. The bar says "we need to know whether you can legally drink" (a boolean value) and instead collects a timestamped, identity-mapped, rich-characteristic profile of every individual who enters the establishment. You're right, of course, that most people in such a situation will choose booze over their own privacy. i won't go into the number of reasons that people feel compelled to make this choice unless i get a signal from the chairs that this kind of behavioral analysis is on-topic for the list. But the fact that many people are willing to make this tradeoff is not a legitimate excuse to design a system that encourages the tradeoff to be made this way. That exchange is fundamentally a bad deal for the user, even if we accept as a given that a bar needs an automated mechanism that allows it to distinguish legal drinkers from underage drinkers. Users shouldn't be forced into trading off privacy for network access any more than they should be forced into trading off privacy for security [1], and we shouldn't design mechanisms to encourage this false trade. > So, whats missing in SPUD (or any prior endpoint<->network) signaling > is the signaling element "If you do not show ID card, you will not get > booze" or "if you do not use a cross-subflow Tube-ID, your > load-sharing, mobility or multipath performance will suck or not > work". This is *exactly* what i'm concerned about with SPUD. Full user identification is overkill for detection of who is allowed to drink (or who is allowed to use the global network); it is a disaster for user privacy, and a total bonanza for a would-be pervasive monitor. We're suposed to be pushing back on that kind of thing, right? https://tools.ietf.org/html/rfc7258 https://tools.ietf.org/html/rfc6973 Formalizing this practice would put any network operator in the position of the overzealous bar-operator/marketer: "give me your ID card via SPUD to be able to send or receive traffic", not to mention criminals looking for a home address to burgle based on who's out at the local cafe, nation-states looking to repress their own citizenry, or spy agencies fetishizing the need to "collect it all". > Using the same Tube-ID is just one example. This interaction really > applies to any possible signaling element: The anonymity freak will > argue to his death that he doesn't want to provide information to the > network... unless the network can persuade him that the benefit of > showing outweights the loss of anonymity. We should not be designing protocols that encourage users to give up any amount of anonymity to the network without compelling engineering argument (and evidence!) that the anonymity they give up is necessary to the effective operation of the network. Otherwise, we're building a network that is designed to encourage its users to accept this fundamentally bad deal in a place that is today far more critical to civic interaction than a bar. I will accept the label of "anonymity freak" if it means i am concerned about the social impact of a thoroughly-surveilled society. Thanks for the good example. Regards, --dkg [0] fwiw, i have been to a bar that has this requirement. I have not returned to that bar. [1] https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html
- [Spud] Whats missing in SPUD (was: Re: Multipath/… Toerless Eckert
- [Spud] Whats missing in SPUD (was: Re: Multipath/… Toerless Eckert
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Ted Hardie
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Toerless Eckert
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Ted Hardie
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Toerless Eckert
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Christian Huitema
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Daniel Kahn Gillmor
- Re: [Spud] Whats missing in SPUD (was: Re: Multip… Toerless Eckert
- Re: [Spud] Whats missing in SPUD Daniel Kahn Gillmor
- Re: [Spud] Whats missing in SPUD Toerless Eckert