Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

[<home_pw@msn.com>]

Martin,

I don't why the claim on the EU Directive is true, as TLS 
Evidence contains a mandatory "opt-in" mechanism. And, I 
assert, neither of the authors is arguing their case very 
well in the document or their explanations given this is a 
transnational audience.

> OK, I'll try to make it short:
>
> There is absolutely NONE, ZERO, NIL chance that this can 
> be used
> in customer<->business relationsships in the European 
> Union, because
> it is incompatible with the EU data protection directive 
> in many ways.
>

Despite pro forma optin mechanism compliance, its normal in 
US practice for US companies to subvert the Euro-intent on 
such opt in regimes using safe harbor and other procedural 
tricks : in the US, you will find that as a consumer one 
cannot connect to one's commodity service provider if you 
FAIL TO AGREE TO OPT IN to the data retention policy.

US practice on "privacy-regime subversion" goes further: the 
politics of Federal and State governments often manipulate 
public policy (usually and LEGITIMATELY by funding mandates) 
so that the insurers inevitably set the audit/practices 
standards so all providers REQUIRE the retention policy, 
thus subverting the consumer-protective optin policy intent, 
set by the EU Directive. but its America! They get to do 
what they want, too, for their own consumer standards!

This is just like today: phone a US health account insurer 
to discuss a claim, and it will tell you they are recording 
the call "for quality purposes". You can opt out, and thus 
the provider will simply drop the call, interdicting "phone" 
support... Your optin choice! Of course, it's a semantic lie 
(the "quality" part; its their to collect evidence of your 
claim fraud...); but this is reality for consumers. If YOU 
don't drop the call your side, post notification, you have 
accepted their policy by failing to opt out. The legal 
presumptions have been set to suit this bias, in the US 
sphere. And, we just say a manual legal-obligation passing 
protocol in effect. Could TLS Evidence do the same, for the 
web-equivalent via https? That is the real question the 
authors are posing.

note, I'm not saying to IETF: don't do TLS-Evidence-type 
obligation passing protocols: I cant, having proposed them 
myself in similar forums, and can see great value in 
instrumenting privacy policy (and other 
"battle-of-the-terms" negotiations.

But, on "wiretapping", we ALL ON THE SAME SIDE, we have to 
move beyond good/evil level debate over 
wiretapping/data-retention etc. As US govt policy has clear 
given ground - by acceding to decent confidentiality 
channels in standards - we have to reciprocate and thus move 
the privacy debate on... beyond "sticks and stones" grade 
name calling debates of the last 20 years.

TLS Evidence is broken in terms of SSL architecture; but it 
can be fixed. The only question is, do we want to, and is it 
the right timing? For example, should IETF simply wait 2-3 
years until the US national id card debate is more settled, 
first?

> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls
> 

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls