Hi Stephen, Please see inline.
Cheers, Med >-----Message d'origine----- >De : Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] >Envoyé : vendredi 6 juin 2014 17:59 >À : BOUCADAIR Mohamed IMT/OLN; Ted Lemon >Cc : Brian E Carpenter; ietf-privacy@ietf.org; int-a...@ietf.org >Objet : Re: [Int-area] [ietf-privacy] NAT Reveal / Host Identifiers > > >Hi Med, > >On 06/06/14 12:41, mohamed.boucad...@orange.com wrote: >> [Med] I'm not sure about this Ted. There are other initiatives that >> try to solve the issue for particular use cases, see for instance >> this effort for HTTP: >> http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10. The >> rationale of the "host identifier scenarios" document is to group all >> use cases suffering from the same problem instead of focusing on one >> single case. This allows having a big picture view of the problem >> space. > >I think XFF is actually a good example of why we ought not adopt >this work. [Med] I provided "Forward" as an example to illustrate there is a need to have a big picture view rather than focusing on specific use case. This draft does not suggest to adopt XFF or Forward at all. There is a need to understand the problem space and identify deployment scenarios where encountering complications. > >XFF is widely deployed already but somewhat flakey in terms of >interop so the authors of the above draft aimed to produce a spec >that just addressed interop. (*) That was adopted by an area WG >without (IMO) ever really considering the privacy implications, >and definitely without any effort having been made to develop a >more privacy-friendly mechanism (which could have been done, again >IMO) to solve what were the claimed use-cases. [Med] Wouldn't be this effort an opportunity to promote those solutions you are advocating for? The proxy use case (not limited to HTTP) is listed as a typical scenario. If there are other better solutions that solves your privacy concerns, why not documenting them? By the time it >got to the IESG that was in practice unfixable and after some >fairly painful discussions it ended up with 4 abstain ballots, >including mine. [1] (For those who quite reasonably don't need >to care about IESG balloting, an abstain means approximately >"yuk.":-) > >Of course that all also pre-dated BCP188 and the last year's >shenanigans so I'd hope we have learned to not keep doing that. > >I'd be delighted if those who could get a better solution >implemented/deployed were to attempt to try to address the >privacy issues with XFF but it seems that at least in that >case relevant folks don't care (sufficiently;-) deeply about >our privacy to go do that. > >S. > >[1] >https://datatracker.ietf.org/doc/draft-ietf-appsawg-http-forwarded/ballot/ > >(*) To be clear: I think the authors were genuinely just >trying to fix what they saw as an interop problem. _______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy