Re: [Nea] privacy: exposing information to owner

To: Keith Moore <moore at cs.utk.edu>
Subject: Re: [Nea] privacy: exposing information to owner
From: Frank Yeh Jr <fyeh at us.ibm.com>
Date: Wed, 15 Nov 2006 17:15:19 -0800
Cc: nea at ietf.org
In-reply-to: <455B7C93.5060608@cs.utk.edu>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>

Greetings,

IMHO this discussion of whether the protocol will enable invasion of user's privacy is a non-sequiter.

First of all, the NEA protocol is intended to allow the network to transport data between two endpoints on the network with one of these being a host and one of them being a server that will make the decision on what level of access to give to the host. Then the server also has a means to communicate with the network to tell it what access to allow the host and potentially a way to remediate "violations" to policy so that subsequent attempts at access can be allowed. Saying that the user information is exposed to the network is actually

There is nothing in the protocol that states WHAT the data being transmitted between the endpoints will be, that is going to be application specific. As Keith Moore pointed out earlier with his cookie example, just because a protocol is designed for one thing does not mean that it will not be used for other purposes. So what the protocol will do is allow a server to ask a host for ANY conceivable set of data from that host and allow this whole communication to happen in a secure network tunnel. With 802.1x as the Layer 2 protocol, the host does not have to have layer 3 connectivity to participate in this conversation. To me, this is the value of the protocol. What people will say using it and what decisions they will make based on what is said are completely beyond the scope of the protocol.

Saying that we are going to provide a tunnel for endpoints to communicate with each other over a standard protocol says nothing about what the content will be, what decisions will be made based on what data, or anything other than the fact that there is a channel for communications.

So if the IETF does not support any protocols that could potentially be used to transmit sensitive user data to others with or without that user's knowledge or assent, then perhaps IP should be elilminated as it too allows for the invasion of user's privacy. HTTP_ check, let's eliminate that too. SSH or SSL? Those are secure but they do allow user's private information to be transmitted across that secure tunnel to another endpoint so guess we'd better eliminate those too.

Ooops, sarcasm now off.

Consider that several successive access attempts, with remediation sessions in between, can occur before a host gets admitted to a network. The first thing checked can be whether the host is trying to comply to the right policy, and the first remediation pass can update the policy to the desired one. There is also nothing to say that you could not specify several different policies, each with different requirements and different levels of network access based on compliance to them. So a user could get challenged and select which policy he wanted to comply with based on the leve l of access he desired, select the policy, get automatically remediated to comply with the selected policy and then be assigned the level of access indicated by the selected policy. It then becomes the user's choice about what he wants to reveal.

In my personal experience, you will end up with users plugging in and being redirected to something that says that they agree with some sort of text that specifies the terms of their network access. They will then accept the EULA and that will eliminate any privacy issues for the network owner. Of course, they will simply click on the EULA without reading it so they might unknowingly be agreeing to disclosing more than they want to.

I'd like the user experience to look something like this:

- User plugs into the network and is authenticated and assessed. Users are redirected to a web page that shows them the different levels of access they can select, what access levels are required for various purposes, and the privacy implications of selecting the various levels. When they select a level, the must agree to a EULA that says they understand the privacy implications of their decision.
- Once the user selects a level, that defines the policy requirements and then the iterative process of remediating and reassessment begins.
- Once the user is compliant to the selected level of policy, they are admitted and their access level is indicated.

The user could go to an entirely different network and have to comply with a different set of policies. He should have the option at either network to select what he wants to disclose based on what he wants to access.

This is not perfect but it is significantly better than what is currently available.

BTW, I'd like a little more clarification as to why you think that network owners do not have the right to ask their users anything that locally applicable rules allow. The IETF does not dictate privacy laws. A number of organizations sign contracts with labor unions tha say that they cannot do things like monitor hosts to check on an employee's productivity or attendance. They are then legally and contractually obligated to protect that level of privacy. So if there is no applicable law and no contract that prevents the network owner from doing so, what is it that you think says they do not have the right?

Regards,
Frank Yeh

Keith Moore <moore at cs.utk.edu> wrote on 11/15/2006 12:46:11 PM: > > > -------- Original Message -------- > > > On 11/15/06, Keith Moore <moore at cs.utk.edu> wrote: > >> I don't agree with your assessment. > > > > But that is the scope of the charter. Enterprises, including > > corporations, academic institutions, non-profits, and govenment > > entities, where the network is wholly owned by the enterprise have the > > right within local laws to ask what ever they want. > > no they do not. I don't know where you get this idea, and I don't know > why in the world you think IETF should bless any means to implement > this. Nor do I understand why you think such a thing would ever meet > the rfc 2026 requirements for standardization or get rough consensus > from this community. > > we're here to do what's best for the Internet as a whole, not to build a > surveillance mechanism to let networks spy on users. doing so is > completely unacceptable. if that's what the WG thinks it's chartered to > do, then the group should be shut down right now and stop wasting > everyone's time. > > Keith > > > _______________________________________________ > Nea mailing list > Nea at ietf.org > https://www1.ietf.org/mailman/listinfo/nea

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- Re: [Nea] privacy: exposing information to owner
  - From: Keith Moore

References:
- Re: [Nea] privacy: exposing information to owner
  - From: Keith Moore

Prev by Date: [Nea] On end-point and network privacy issues, requirements, etc...
Next by Date: Re: [Nea] privacy: exposing information to owner
Previous by thread: Re: [Nea] privacy: exposing information to owner
Next by thread: Re: [Nea] privacy: exposing information to owner
Index(es):
- Date
- Thread

Re: [Nea] privacy: exposing information to owner

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.