Last Call Review of draft-hardie-privsec-metadata-insertion-05

Request Review of draft-hardie-privsec-metadata-insertion
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-02-21
Requested 2017-01-24
Authors Ted Hardie
Draft last updated 2017-02-07
Completed reviews Opsdir Last Call review of -05 by Ron Bonica (diff)
Genart Last Call review of -06 by Stewart Bryant (diff)
Secdir Last Call review of -05 by Yoav Nir (diff)
Tsvart Last Call review of -05 by Michael Tüxen (diff)
Genart Telechat review of -06 by Stewart Bryant (diff)
Genart Telechat review of -07 by Stewart Bryant (diff)
Assignment Reviewer Yoav Nir 
State Completed
Review review-hardie-privsec-metadata-insertion-05-secdir-lc-nir-2017-02-07
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Review completed: 2017-02-07



The document is well-written and understandable, but a few things about it seem wrong:

Section 3 describes data minimization as "one of the core mitigations for the loss of confidentiality". However, the only example given where data minimization is used to mitigate confidentiality loss is when browsers suppress cookies in private mode. The rest of the examples given (HTTP proxies, recursive DNS, VPN) are such where the data minimization is incidental to some other function. Nobody deployed the HTTP proxy or the DNS server in order to enhance privacy.

The HTTP proxy example in particular is not convincing. HTTP is designed to work without proxies. Any data minimization provided incidentally by a proxy is nothing that can be counted on, so a prohibition on restoring said data (especially in the case of a server-side load balancer) is just not convincing. OTOH in DNS recursive resolvers that hide the origin IP of the client are the norm - Authoritative servers hardly ever get to see real addresses of clients. In that case exposing the real IP address of the client shows data that was not there before.

I believe the text should differentiate between cases where a network element is not part of the normal function of the protocol and works to undo the accidental data minimization that it causes, and cases where the network element is expected in the protocol and thus the minimization is expected as well. I think the prescription in the text applies to the latter. I am not convinced about the former

The VPN example is a strange one. If the subject is a corporate VPN, then restoring the original IP addresses is the function of the VPN.  If, OTOH, VPN is that service that allows people to watch Hulu outside of the US, then restoring the IP address would be counter-productive. It is also strange to see VPN used as an example of "systems whose primary function is not to provide confidentiality"