Re: [Nea] privacy: exposing information to owner

[Keith Moore <moore at cs.utk.edu>]

-------- Original Message --------

> This comment highlights the fact that there is a lot of variation in
> what information should be disclosed.
>
> On military networks, it's entirely appropriate for the network to
> require a complete and verifiable inventory of software on the
> endpoint (maybe also information about recent activity,
> configuration, etc.). The network will probably not be willing to
> divulge its access policies.
>
> On open access networks, no information should be required from the
> endpoint. Any participation in NEA should be purely voluntary and can
> involve the network sending its latest policy to the endpoint, which
> may respond at its discretion. No enforcement involved.
>
> Commercial networks lie somewhere in between. They may be willing to
> grant Internet access if no information is available on the endpoint.
> Access to corporate resources will probably require some information
> and the amount of information required will probably depend on the 
> sensitivity of the resources to be accessed (and on local
> regulations, as Pekka points out).
>
> It seems clear to me that this is an areas for local policy.

I don't agree with your assessment.  Just because a network to which a
host attaches might be run by (say) the military doesn't mean that it's 
reasonable for an Internet standard to facilitate an arbitrary level of 
surveillance or even to give the user a choice about how much 
surveillance is allowed.  I don't see any way to do this that will not 
result, in practice, in users being forced to compromise their privacy 
far beyond that which is reasonable.

> The endpoint should have a policy about what information it is
> willing to disclose and to whom. The network should have a policy
> about what information it requests, whether it will divulge its
> policies, and what access it is willing to grant. The requirement for
> the NEA standards should be that they describe the security and
> privacy concerns inherent in this system, describe how those concerns
> can be addressed, and require the protocols to include features that
> enable the endpoint and network to implement whatever policy they
> want. Then the endpoint and network owners can configure their 
> policies with confidence. One endpoint owner may disable NEA. Another
> may configure a policy of "Tell nothing but accept advice from my
> ISP". Others may decide to disclose OS patch info to their corporate
> servers only. The military owner may configure a policy to disclose a
> full inventory but ONLY to authorized servers.

Strongly disagree with all of the above.  For the most part, users
aren't sophisticated enough to determine what the policies on their
hosts should be.  This makes them vulnerable to invasion of privacy -
first as individuals, as naive users succumb to pressure from networks 
to grant more access than is necessary - and then market forces force 
even the more sophisticated users to either accept this privacy erosion 
for themselves or have their access severely limited.  I've seen it 
happen more times than I can count.

> For us to decide on a one-size-fits-all policy in this area would be
> impossible.

perhaps, but that might mean that there is no reasonable solution to the
NEA approach, and a very different approach is needed.

> If we're concerned about naive users, we can require that endpoints
> ship with NEA disabled and require explicit approval and
> administrative privileges to enable it or configure policy.

doesn't solve the problem.


Keith

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea