IETF Policy on Wiretapping
RFC 2804
Document | Type |
RFC - Informational
(May 2000; Errata)
Was draft-iab-raven (iab)
|
|
---|---|---|---|
Authors | Fred Baker , Brian Carpenter | ||
Last updated | 2015-11-11 | ||
Stream | IAB | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | IAB state | (None) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) |
Network Working Group IAB Request for Comments: 2804 IESG Category: Informational May 2000 IETF Policy on Wiretapping Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract The Internet Engineering Task Force (IETF) has been asked to take a position on the inclusion into IETF standards-track documents of functionality designed to facilitate wiretapping. This memo explains what the IETF thinks the question means, why its answer is "no", and what that answer means. 1. Summary position The IETF has decided not to consider requirements for wiretapping as part of the process for creating and maintaining IETF standards. It takes this position for the following basic reasons: - The IETF, an international standards body, believes itself to be the wrong forum for designing protocol or equipment features that address needs arising from the laws of individual countries, because these laws vary widely across the areas that IETF standards are deployed in. Bodies whose scope of authority correspond to a single regime of jurisdiction are more appropriate for this task. - The IETF sets standards for communications that pass across networks that may be owned, operated and maintained by people from numerous jurisdictions with numerous requirements for privacy. In light of these potentially divergent requirements, the IETF believes that the operation of the Internet and the needs of its users are best served by making sure the security properties of IAB & IESG Informational [Page 1] RFC 2804 IETF Policy on Wiretapping May 2000 connections across the Internet are as well known as possible. At the present stage of our ignorance this means making them as free from security loopholes as possible. - The IETF believes that in the case of traffic that is today going across the Internet without being protected by the end systems (by encryption or other means), the use of existing network features, if deployed intelligently, provides extensive opportunities for wiretapping, and should be sufficient under presently seen requirements for many cases. The IETF does not see an engineering solution that allows such wiretapping when the end systems take adequate measures to protect their communications. - The IETF believes that adding a requirement for wiretapping will make affected protocol designs considerably more complex. Experience has shown that complexity almost inevitably jeopardizes the security of communications even when it is not being tapped by any legal means; there are also obvious risks raised by having to protect the access to the wiretap. This is in conflict with the goal of freedom from security loopholes. - The IETF restates its strongly held belief, stated at greater length in [RFC 1984], that both commercial development of the Internet and adequate privacy for its users against illegal intrusion requires the wide availability of strong cryptographic technology. - On the other hand, the IETF believes that mechanisms designed to facilitate or enable wiretapping, or methods of using other facilities for such purposes, should be openly described, so as to ensure the maximum review of the mechanisms and ensure that they adhere as closely as possible to their design constraints. The IETF believes that the publication of such mechanisms, and the publication of known weaknesses in such mechanisms, is a Good Thing. 2. The Raven process The issue of the IETF doing work on legal intercept technologies came up as a byproduct of the extensive work that the IETF is now doing in the area if IP-based telephony. In the telephony world, there has been a tradition of cooperation (often mandated by law) between law enforcement agencies and telephone equipment operators on wiretapping, leading to companies that build telephone equipment adding wiretapping features to their telephony-related equipment, and an emerging consensus in the IAB & IESG Informational [Page 2] RFC 2804 IETF Policy on Wiretapping May 2000 industry of how to build and manage such features. Some traditional telephony standards organizations have supported this by adding intercept features to their telephony-related standards. Since the future of the telephone seems to be intertwined with theShow full document text