Re: [Nea] IETF67 NEA WG Meeting summary

[Keith Moore <moore at cs.utk.edu>]

-------- Original Message --------

> The risk is indeed easy to understand.  
>
> It needs to have a mitigation mechanism and we need a mechanism that
> allows the owner of a host to explicitly choose to undertake the risk or
> not.
>
> By way of mitigation measure we can articulate a requirement that the
> protocol MUST be capable of employing some authentication measure to
> determine who is asking for the information.
>
> We should also have a requirement that the protocol MUST be run only
> when authorized.  Meaning some mechanism in the host needs to explicitly
> allow the protocol to communicate information.  There MAY, additionally,
> be fine grained controls that authorize specific sub-sets of the
> information based on identity/anonymity of the requestor.  The
> authorization MAY allow that all requestors be provided the information
> requested.  This is perfectly appropriate for situations that have other
> mitigating measures.  For example a corporate server / desktop that is
> never expected to leave the building and / or be on any other network.
> As long as this is an explicit risk management choice made by the owner
> of the asset it should be fine.  

I disagree, for reasons given earlier.

It's not acceptable to allow an arbitrary network to ask arbitrary 
questions of a host, even if the user gets to control which questions 
are answered, because this provides a sufficient mechanism to coerce the 
user into giving up his privacy - either because the user doesn't 
understand the implications of his decisions (likely) or because the 
user doesn't, for practical purposes, have a choice (also likely).

Keith


_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea