Re: I-D Action: draft-pauly-httpbis-geoip-hint-01.txt from Ted Hardie on 2024-10-30 (ietf-http-wg@w3.org from October to December 2024)

From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 30 Oct 2024 15:43:59 +0000
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>, Dustin Mitchell <djmitche@google.com>, Ben Schwartz <bemasc@meta.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CA+9kkMDHRxjt8FqRNWUqqL2pJYAUj37kQubWxsrCy8gL4CZ0_Q@mail.gmail.com>

Hi David,

On Tue, Oct 29, 2024 at 10:04 PM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> you're asking us for a full analysis of the cause and impact of global
> warming before we can start designing an umbrella
>

This thread has turned up a number of requirements for your specific
deployment that were not described in the document, like lowering the
number of IP addresses in the pools to save money.  It has also shown
considerable flexibility in what the folks involved consider appropriate
geo-ip location data, with some indication that it would get more granular
and some indications that it would get less granular.  There's even been
some implications that there would be two or more levels of granularity and
some sort of user-driven choice.  When a document is not clear on this kind
of thing, you should expect searching questions.

Moreover, it appears to me that all of the arguments you are making are
tied to specific deployment plans in which some of the bits are, in fact,
not yet deployed.  That makes this even more difficult to analyze, because
the final deployments may differ significantly.

At the base, though, I am asking for more analysis because I think the
design you have put forward is very likely to be abused *in other
deployments*.  The restrictions on where to get the data have the usual
protocol police problem, and there is a very real risk that the requests
for this will impact the location privacy desired by users and delivered by
other sorts of VPNs.   If the VPN is configured at the OS level, the
browser or app may not realize that geo-ip data should not be shared.

And there is a very real risk of malfeasance here.  We all know that apps
and some websites used WebRTC features to get geolocation data that they
would not otherwise have had.  If there are location knobs to be twisted
here, we can and should expect them to be twisted as hard as possible as
folks try to get data that the users don't want to share.

I have suggested that we go back to considering the requirements because I
hope that there may be designs that deliver what you need without the risks
of the current design.

regards,

Ted Hardie

Received on Wednesday, 30 October 2024 15:44:31 UTC