search

quicwg / base-drafts

Internet-Drafts that make up the base QUIC specification
https://quicwg.org
1.63k stars 205 forks source link

"External observers" is undefined #3448

Closed martinthomson closed 4 years ago

martinthomson commented 4 years ago

From email:

Connection IDs MUST NOT contain any information that can be used by an external observer (that is, one that does not cooperate with the issuer) to correlate them with other connection IDs for the same connection. I think it's worth paying particular attention to the phrase "external observer" as that is defined nowhere else in the RFC and, at least as far as I'm concerned, can be used by companies whose primary source of income involves tracking people and selling access to data gleaned from tracking people, since they might be able to claim that they are not an external observer.

This seems like we can avoid confusion with a simple s/external observer/entities other than endpoints/. However, we need to be careful to allow load balancers to do this at some level.

ekr commented 4 years ago

Right. The purpose of this language was to differentiate LBs and other associated entities.

I don't understand the problem here: the parenthetical defines "external observer" clearly, and yes, it would exclude entities whose business it is to track people as long as they are cooperating with the issuer. That may not be the kind of tracking we want but it's the requirement we can actually levy here.

On Mon, Feb 10, 2020 at 1:36 PM Martin Thomson notifications@github.com wrote:

From email:

Connection IDs MUST NOT contain any information that can be used by an external observer (that is, one that does not cooperate with the issuer) to correlate them with other connection IDs for the same connection. I think it's worth paying particular attention to the phrase "external observer" as that is defined nowhere else in the RFC and, at least as far as I'm concerned, can be used by companies whose primary source of income involves tracking people and selling access to data gleaned from tracking people, since they might be able to claim that they are not an external observer.

This seems like we can avoid confusion with a simple s/external observer/entities other than endpoints/. However, we need to be careful to allow load balancers to do this at some level.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/quicwg/base-drafts/issues/3448?email_source=notifications&email_token=AAIPLIO5ACHUDJUAVDOY2ZTRCHCFXA5CNFSM4KSWA2GKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IMMJXGA, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIPLIOQRKPUT6JAAFZAJZDRCHCFXANCNFSM4KSWA2GA .

debdrup commented 4 years ago

Thanks for pointing me here, Martin. :)

Cooperation, to me and seemingly according to the second definition of Merrian-Webster, seems to imply that even just two parties (one first-party and one third-party, for example) are cooperating on something, especially considering the example underneath given involves trade and economy.

ekr commented 4 years ago

On Tue, Feb 11, 2020 at 6:31 AM D. Ebdrup notifications@github.com wrote:

Thanks for pointing me here, Martin. :)

Cooperation, to me and seemingly according to the second definition of Merrian-Webster https://www.merriam-webster.com/dictionary/cooperation, seems to imply that even just two parties (one first-party and one third-party, for example) are cooperating on something, especially considering the example underneath given involves trade and economy.

I agree with your definition, but I don't understand your point.

janaiyengar commented 4 years ago

I agree with ekr here -- the definition is clear in the parenthetical, and I don't see a reason to change the text.

On Tue, Feb 11, 2020 at 2:46 PM ekr notifications@github.com wrote:

On Tue, Feb 11, 2020 at 6:31 AM D. Ebdrup notifications@github.com wrote:

Thanks for pointing me here, Martin. :)

Cooperation, to me and seemingly according to the second definition of Merrian-Webster <https://www.merriam-webster.com/dictionary/cooperation , seems to imply that even just two parties (one first-party and one third-party, for example) are cooperating on something, especially considering the example underneath given involves trade and economy.

I agree with your definition, but I don't understand your point.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/quicwg/base-drafts/issues/3448?email_source=notifications&email_token=ACUOBVHIEQAC7XTCQPEYCHTRCK24JA5CNFSM4KSWA2GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELMVWEI#issuecomment-584669969, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUOBVGG3KXZS5GSUSZZINDRCK24JANCNFSM4KSWA2GA .

debdrup commented 4 years ago

On Tue, Feb 11, 2020 at 6:31 AM D. Ebdrup @.***> wrote: Thanks for pointing me here, Martin. :) Cooperation, to me and seemingly according to the second definition of Merrian-Webster https://www.merriam-webster.com/dictionary/cooperation, seems to imply that even just two parties (one first-party and one third-party, for example) are cooperating on something, especially considering the example underneath given involves trade and economy. I agree with your definition, but I don't understand your point.

My point in the initial email to Martin was that the language seems to provide for companies to share Connection ID data, or data derived from it, with third parties - so long as the companies have legal contracts defining that they are cooperating. That doesn't seem, to me at least, to be a good idea when a bit of more precise use of language (such as the regular expression above by Martin, with a modification to allow for load-balancers, as rightly pointed out) could very easily nip it in the butt, as it were. :)

ekr commented 4 years ago

On Tue, Feb 11, 2020 at 7:05 AM D. Ebdrup notifications@github.com wrote:

On Tue, Feb 11, 2020 at 6:31 AM D. Ebdrup @.***> wrote: Thanks for pointing me here, Martin. :) Cooperation, to me and seemingly according to the second definition of Merrian-Webster https://www.merriam-webster.com/dictionary/cooperation, seems to imply that even just two parties (one first-party and one third-party, for example) are cooperating on something, especially considering the example underneath given involves trade and economy. I agree with your definition, but I don't understand your point.

My point in the initial email to Martin was that the language seems to provide for companies to share Connection ID data, or data derived from it, with third parties - so long as the companies have legal contracts defining that they are cooperating.

Yes, or without contracts for that matter. The point of "cooperating" is not to restrict commercial agreements but to technically define the privacy properties we expect CID construction to provide.

That doesn't seem, to me at least, to be a good idea when a bit of more precise use of language (such as the regular expression above by Martin, with a modification to allow for load-balancers, as rightly pointed out) could very easily nip it in the butt, as it were. :

I'm not particularly a huge fan of tracking either, but that's not the issue here. We're not the protocol police and this text is not about setting business policy. It's a technical requirement to forbid designs which would be insecure.

debdrup commented 4 years ago

I guess that makes sense, and I don't really have an answer to it - I'm still just not sure about the phrasing, but there's nothing else I can come up with, beyond more precise language (which is one of the things I think RFCs are an excellent example of).

Thank you, at least, for taking the time to think about it.

martinthomson commented 4 years ago

Seems like we have covered this one. Closing with no action.