Last Call Review of draft-hardie-privsec-metadata-insertion-05
The document is well-written and understandable, but a few things about it seem wrong:
Section 3 describes data minimization as "one of the core mitigations for the loss of confidentiality". However, the only example given where data minimization is used to mitigate confidentiality loss is when browsers suppress cookies in private mode. The rest of the examples given (HTTP proxies, recursive DNS, VPN) are such where the data minimization is incidental to some other function. Nobody deployed the HTTP proxy or the DNS server in order to enhance privacy.
The HTTP proxy example in particular is not convincing. HTTP is designed to work without proxies. Any data minimization provided incidentally by a proxy is nothing that can be counted on, so a prohibition on restoring said data (especially in the case of a server-side load balancer) is just not convincing. OTOH in DNS recursive resolvers that hide the origin IP of the client are the norm - Authoritative servers hardly ever get to see real addresses of clients. In that case exposing the real IP address of the client shows data that was not there before.
I believe the text should differentiate between cases where a network element is not part of the normal function of the protocol and works to undo the accidental data minimization that it causes, and cases where the network element is expected in the protocol and thus the minimization is expected as well. I think the prescription in the text applies to the latter. I am not convinced about the former
The VPN example is a strange one. If the subject is a corporate VPN, then restoring the original IP addresses is the function of the VPN. If, OTOH, VPN is that service that allows people to watch Hulu outside of the US, then restoring the IP address would be counter-productive. It is also strange to see VPN used as an example of "systems whose primary function is not to provide confidentiality"