Re: recommendation against publication of draft-cerpa-necp-02.txt

[Vernon Schryver <vjs at calcite.rhyolite.com>]

I tried to send this earlier, but got a response from
Majordomo-Owner at ietf.org complaining that every line is a bogus majordomo
command.  My logs say I sent to ietf at ietf.org and not majordomo at ietf.org
or anything smilar.  I did use the word "s-u-b-s-c-r-i-b-e-r-s" 3 times.
This time I've replaced all with "[users]".

I suspect a serious or at least irritating bug in a defense against stupid
"u-n-s-u-b-s-c-r-i-b-e" requests.  If I'm right, then someone needs to
stop and think a little.



> From: Keith Moore <moore at cs.utk.edu>


> > That's an interesting idea.  People might eventually finally start
> > using end2end crpyto not for privacy or authnetication where they

> or ISPs might start penalizing encrypted packets.

Why not?  ISP's that figure that last week's or even this morning's Wall
Street Journal front page is good enough might well charge more for traffic
that goes outside their networks to get the current WSJ, or the WSJ with
the Doubleclick ads that Dow Jones prefers.

I wonder how long before an ISP with a transparent proxy uses it to modify
the stream of ads, replacing some with more profitable bits.  It's not as
if "commercial insertion" is a new idea.  The local TV affliate or cable
operator's computers replace a lot of dead air and other people's ads with
their own....as I think about it, I realize I've got to be behind the
times.  I bet many of the so called free ISP's and perhaps others must
already be optimizing the flow of information to their [users].  There's
only so much screen real estate and conscious attention behind those
eyeballs.  They'd not want to be blatant about it, unlike "framing", to
avoid moot excitment among lawyers and [users].  If you must pay for your
[users]' web surfing by posting ads, where better but on top or instead
of other people's ads?


> I just don't buy the argument that we can solve these problems by
> adding more complexity.  That's like saying that a country can 
> get more security by building more planes, tanks, bombs, etc.
> It might work, but then again, it might fuel an arms race.

You've written today about the complications of simplistic solutions to
problems that are not as simple as they sound.  You're right, of course.
The reasons why no one uses real encryption now do not include it being
free or as easy as not using it.

For example, simply using HTTPS if you want to read the WSJ without local
improvements might not be a good enough, depend on how much you can trust
that the public key you get from the nearby PKI servers really belongs to
Dow Jones and not the local ministry of information.  What?--you say the
public key infrastructure is invulnerable to bureaucrats in the middle
with very large purses and bigger sticks?--well, if you say so...

The problem with transparent proxies is that they are men in the middle,
and so are very good at wire tapping, censoring, and improving information.
And even harder to trust.  Stealth proxies are vastly more powerful than
remote controlled taps on everyone's routers and PBX's.


Vernon Schryver    vjs at rhyolite.com