- From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
- Date: Thu, 08 Aug 2013 19:33:25 +0200
- To: Frank.Dawson@nokia.com
- CC: hannes.tschofenig@gmx.net, public-privacy@w3.org
Hi Frank, On 08/08/2013 06:48 PM, Frank.Dawson@nokia.com wrote: > Hei Hannes. > <snip/> > >> Just a minor remark on the confidentiality aspect: >> >> In RFC 6973 we re-use the terminology from RFC 3552: >> http://tools.ietf.org/html/rfc3552#section-2 > > <snip/> > >> The NIST SP 800-53 uses confidentiality in a much broader sense; it >> seems to include aspect that we cover under "Stored Data >> Compromise". >> > <frank/> That is my point. By referencing RFC3552 you are using > semantics from infosec, not infopriv. RFC6973 should be about > information privacy semantics. One of the largest faux pas in current > privacy industry discussions is the use of infosec semantics for same > terms used in infopriv. We have to transpose the use of the term into > the privacy usage. Confidentiality has a specific meaning in privacy > that is different than in security. We have to take the knowledge of our audience in mind and there is a lot of awareness regarding communication security in the IETF. Folks are familiar with the terminology. Confidentiality, as used in the communication security field, is an important technique to meet certain privacy goals. With the recent NSA/Prism discussions this importance is additionally highlighted. > > <snip/> > >> PS: Regarding the earlier remark about mandating a privacy >> consideration section. This document is work done by the Internet >> Architecture Board (IAB). The IAB cannot enforce such a mandatory >> inclusion of a privacy consideration section since the IAB is not >> the document approving body for the IETF document stream. It is as >> simple as that. >> > <frank/>I am not sure that the IAB has no authority. They pay the > bills of the IETF. Also, this could have been done by making it a > SHOULD. According to RFC2119, implementors need to indicate WHY they > did not follow the SHOULDs also. This would have been a good first > step. I think this has strong support with many in the W3C PING > also. Actually, the IAB does not pay the bills. The money comes from meeting fees and (to a large extend) from ISOC. The RFC 2119 terminology refers to interoperability and is not meant for process requirements (although people misuse it that way). Nevertheless we could have written it the way you suggested but I believe the other approach is better. > > I got through about 1/3 of your and Aleecia's Privacy Tutorial from > Berlin IETF. Then a very unusual thunder shower (compared to thunder > storm) came through Southlake, Texas and we had a power surge/brown > out. Will get back to finishing the viewing later. I liked the strong > participation from the audience. The topic was very well received by > IETF participants. Can you post the slide deck (with updates) on IETF > or IAB document site and share the URL with us here in W3C? The slide deck can be found here: https://github.com/hannestschofenig/tschofenig-ids/blob/master/PrivacyTutorial/iab-privacy-considerations.pptx?raw=true Of course we haven't yet incorporated the feedback. As you noticed, we got lots of feedback and it will take a while to incorporate it into the slide deck. Please also note that the audience was selected from a smaller pool of IETF participants, primarily working group chairs participated in the 'trial' run. We wanted to get some feedback first before approaching the wider IETF community. Ciao Hannes > > Frank/ >
Received on Thursday, 8 August 2013 17:33:40 UTC