IETF Logo Mail Archive

Re: [urn] Stephen Farrell's Abstain on draft-ietf-urnbis-rfc2141bis-urn-21: (with COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 02 March 2017 16:57 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31457129515; Thu, 2 Mar 2017 08:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOhZVG98bu-U; Thu, 2 Mar 2017 08:57:18 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D53012951A; Thu, 2 Mar 2017 08:57:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AB407BEEA; Thu, 2 Mar 2017 16:57:15 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nzvq38WJiWaF; Thu, 2 Mar 2017 16:57:15 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0B2E2BE8E; Thu, 2 Mar 2017 16:57:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1488473835; bh=GKx53LLdHPiC11GUiE0jXiPPEu7SDKzVp4YRejVqrs0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=netKnoZCT2LOscLaiM9lfOtQSR3+MBsADXxmjEKSDq6nmlEme7TcUZ1QFmMIh4e3E 6RERQR8ZAiTZIR5djCBcHSF5dhTS3fmtxb7Wm97RtUBJ+riCeFayLK+XTngC7Ft+Rc KmTKJTgUOrRvmtZFGJ+lD1pU0qmxsAbZ3WEX4njE=
To: John C Klensin <john-ietf@jck.com>
References: <148832863670.29552.9014381848292739838.idtracker@ietfa.amsl.com> <68d0ad57-9ba0-beb2-2fe4-2f036fce3e93@stpeter.im> <836b3132-def8-0534-487a-bc78b69ee82c@cs.tcd.ie> <BFFE81EB342F7B722E788428@PSB> <2cd348ce-1378-ddf7-574a-73283709999c@cs.tcd.ie> <9499477E8333E7F4AB7E0101@PSB>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <cac6ea0e-ab9c-1add-3437-922f05c5b933@cs.tcd.ie>
Date: Thu, 02 Mar 2017 16:57:14 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <9499477E8333E7F4AB7E0101@PSB>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="qs3Nd9j8JTehevh8i7iURnNtMINpXROFm"
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/Owh9a8t-3JimJFDVY_Hu4koFKOk>
Cc: barryleiba@computer.org, draft-ietf-urnbis-rfc2141bis-urn@ietf.org, The IESG <iesg@ietf.org>, urnbis-chairs@ietf.org, urn@ietf.org
Subject: Re: [urn] Stephen Farrell's Abstain on draft-ietf-urnbis-rfc2141bis-urn-21: (with COMMENT)
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 16:57:21 -0000


On 02/03/17 15:45, John C Klensin wrote:
> Stephen,
> 
> If you want to craft some text and tell us where to put it, I'd
> appreciate it.  Noting that there is already a template
> requirement for security and privacy information and the DE team
> is charged with reviewing those templates for completeness, 

Sure. I'd suggest the following change in 6.4.4:

OLD:

   o  Various issues discussed in the guidelines for security
      considerations in RFCs [RFC3552] and the privacy considerations
      for Internet protocols [RFC6973].

NEW:

   o  Various issues discussed in the guidelines for security
      considerations in RFCs [RFC3552] and the privacy considerations
      for Internet protocols [RFC6973]. In particular note the
      privacy considerations text in [RFC7254] which may provide
      a useful model for such cases.

And adding 7254 as a reference as well.

If Peter or someone wants to suggest more text, that'd also be
fine by me.

Cheers,
S.

> I
> think it is important that such text be as extensive as needed
> but no longer and, in particular, that it not add to the
> redundancy that you and Alissa have complained about any more
> than necessary.
> 
> thanks,
>    john
> 
> 
> --On Thursday, March 2, 2017 14:33 +0000 Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
> 
>>
>> Hi John,
>>
>> For context (that I'm sure isn't needed for some of you,
>> but will nonetheless spell out just in case:-), as I'm
>> an abstain ballot, I'm not blocking this, but I am happy
>> to chat of course.
>>
>> That said, yes, I think it would be good and sufficient
>> to highlight the need for privacy to be considered as
>> part of evaluations here, and I'd also hope that the IESG
>> when appointing DEs keep that in mind. I also agree that
>> there's a danger here of trying to police things too
>> much, hence my reference to rfc6919 and it's fine concept
>> of "MUST (but we know you won't)" that is worth avoiding
>> in any text we add about privacy.
>>
>> Anyway, yes I think a bit more text that emphasises that
>> there can be (for some folks, unexpected) privacy issues
>> here and a pointer to the example of rfc7254 should be
>> fine.
>>
>> If it helps for me to try help craft a bit of text along
>> those lines, I'm happy to help with that, but I'm also
>> happy for the folks involved to just do that if they so
>> choose.
>>
>> Cheers,
>> S.
>>
>> On 02/03/17 13:35, John C Klensin wrote:
>>>
>>>
>>> --On Thursday, March 2, 2017 08:11 +0000 Stephen Farrell
>>> <stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>>> Perhaps you could clarify what some of your concerns are
>>>>> here, above and beyond the use of URIs in general (after
>>>>> all, a URN is a URI). Reading between the lines, I imagine
>>>>> you might be worried that URNs within a particular URN
>>>>> namespace (e.g., for U.S. Social Security Numbers or the
>>>>> like) - once suitably resolved into one or more URLs -
>>>>> might enable an attacker to determine a person's physical
>>>>> location (e.g., via IP address) or actual identity (e.g., a
>>>>> pseudonym could "resolve" to a real name). Are these
>>>>> guesses on the mark?
>>>>
>>>> Yep. Perhaps things like including an IMSI or IMEI (or
>>>> values easily correlated with such) in the NSS part is
>>>> what it'd useful to call out. I'm not sure if there are
>>>> real examples of such in existing URNs but if there were
>>>> it'd be a fine thing to note that including such things
>>>> imposes (often unmet) requirements for e.g. confidentiality
>>>> on protocols and applications that use those URNs. If
>>>> may also be useful to say that things like hashing the
>>>> privacy sensitive value before inclusion in the URN don't
>>>> prevent correlation and can be as "good" for
>>>> re-identification as the non-hashed value.
>>>>
>>>> The argument to include text here is that it seems to be
>>>> very tempting to include that kind of information for many
>>>> folks.
>>>
>>> Stephen,
>>>
>>> It seems to me that the possibility of creating URNs that
>>> could disclose private, or personal-information-tracing,
>>> information is not an issue with URN symtax and definitions
>>> but with what namespaces are created (and NIDs registered).
>>> In principle (and as others have suggested), that issue could
>>> apply to any URI and to most other identifier types that can
>>> be used on the Internet. For URIs, even if the domain is
>>> fixed a simple search using a URI query can disclose personal
>>> location or other private information if the search
>>> parameters are then harvested and/or stored, which I
>>> understand to be a common practice.
>>>
>>> Two observations about this issue wrt the present document:
>>>
>>> (1) The NID registration approval process and associated
>>> protections.
>>>
>>> Because of the diversity of the issues involved, the intent of
>>> the WG was that Expert Review of URN NID registration
>>> proposals would never rely on a single individual but on a
>>> team with different perspectives, working together.  As I
>>> reread the draft just now, while that team idea is strongly
>>> hinted at, perhaps it should be made more explicit (if you
>>> think so, text would be welcome).  In any event, appointment
>>> of designated experts (individually or as a team) is under
>>> control of the IESG.  It seems to me that it would be
>>> entirely appropriate for the IESG to include a privacy expert
>>> on that team if you (collectively) believe that would be
>>> helpful.  
>>>
>>> Projecting a bit from other experience, a focused discussion
>>> about potential problems with a particular proposed namespace
>>> (including but not limited to privacy issues) is much more
>>> likely to lead to understanding and, where plausible,
>>> mitigation of those problems than some sort of general
>>> statement in a registration specification.   The comments in
>>> the I-D about team efforts and parties working together "in a
>>> spirit of good faith and mutual understanding" are
>>> specifically intended to facilitate such discussions.  Given
>>> the RFC 7254 example (and your ultimate "No objection"
>>> position on it), it is hard to imagine the new procedure
>>> working less well to prevent privacy problems than the
>>> current "IETF Consensus" arrangements.
>>>
>>> I also note that the registration template explicitly calls
>>> for consideration of security and privacy issues in
>>> namespaces and namespace registrations.  That should be a
>>> considerable improvement from your standpoint over the
>>> language of RFC 3406.
>>>
>>>
>>> (2) Namespace registrations and the Protocol Police
>>>
>>> URN namespaces and the identifying NIDs are as, or more,
>>> easily used without formal IETF approval or registration than
>>> URI scheme names, media types, and many other identifiers.
>>> The Protocol Police have been quite ineffective in preventing
>>> or punishing such actions.  If we create barriers to
>>> registration that seem burdensome and/or frustrate people
>>> from what they "want to do", experience indicates that the
>>> registration procedure, and perhaps syntax and other
>>> restrictions, will simply be ignored.   
>>>
>>> RFC 7254 may be a good example here too: if GSMA really
>>> believed that they needed a namespace of that type and that
>>> the IETF had said "no, you can't have one because it might
>>> lead to disclosure of personal information", the only two
>>> outcomes I can imagine are that they would have gone ahead
>>> and used an unregistered URN namespace or that they would
>>> have picked out some other identifier over which the IETF
>>> does not claim authority. Neither would provide significant
>>> additional privacy.  I find it very hard to imagine that they
>>> would have simply given up and conclude that no such
>>> identifier collection or namespace was needed.
>>>
>>> Rather than try to create prohibitions that we cannot enforce,
>>> the new registration procedures are intended to facilitate
>>> discussions in which our experts can use our expertise to shed
>>> light on issues and identify and mitigate problems where
>>> possible while encouraging the registrations themselves.  The
>>> latter, if nothing else, reduces the odds of duplication of
>>> supposedly-unique identifiers.  Avoiding such duplication is
>>> an important operational and security issue, at least IMO.
>>>
>>> best,
>>>    john
>>>
>>>
>>>
>>
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email