Re: [Nea] privacy: exposing information to owner

["Mike Fratto" <mfratto at gmail.com>]

On 11/15/06, Keith Moore <moore at cs.utk.edu> wrote:
> I don't agree with your assessment.

But that is the scope of the charter. Enterprises, including
corporations, academic institutions, non-profits, and govenment
entities, where the network is wholly owned by the enterprise have the
right within local laws to ask what ever they want. That is thier
local policy. You as a user, say a contractor, guest, or employee,
have the right to accept or decline thier policy. That is your local
policy. If you are on a remote network and you computer is controlled
by your enterprise, they have the right to say what will and will not
be disclosed. That is a matter for your employers policy. The output
of the NEA needs to provide ways to account for the different stake
holders without dictating local policies.

Besides, this is nothing new. Having guest users agree to an AUP is
fairly standard practice. The NEA simply facilitates the granting of
access.

> > The endpoint should have a policy about what information it is
> > willing to disclose and to whom. The network should have a policy
> > about what information it requests, whether it will divulge its
> > policies, and what access it is willing to grant.
>
> Strongly disagree with all of the above.  For the most part, users
> aren't sophisticated enough to determine what the policies on their
> hosts should be.

That is beside the point entirely. While vendors should make it easy
for end users to make a determination about what data to share, there
is no reason to compell them to do so. And even if there was a reason
to compel them to do so, then your talking UI features which I think
are out of scope. Perhaps a best practices document would be helpful
to provide guidance in cases like this, but they are not show
stoppers.

> > If we're concerned about naive users, we can require that endpoints
> > ship with NEA disabled and require explicit approval and
> > administrative privileges to enable it or configure policy.
>
> doesn't solve the problem.

Becuase there is no problem to solve. Accpetance of interrogation is a
matter of agreeing to local policies. If the network policy is to
assess a host and your, or your employers policy is to refuse
assessments, then it is up to the network owner to decide what to do
with your computer. There is no implicit right for a computer user to
connect to a network.

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea