Martin,I don't why the claim on the EU Directive is true, as TLS Evidence contains a mandatory "opt-in" mechanism. And, I assert, neither of the authors is arguing their case very well in the document or their explanations given this is a transnational audience.
OK, I'll try to make it short:There is absolutely NONE, ZERO, NIL chance that this can be used in customer<->business relationsships in the European Union, because it is incompatible with the EU data protection directive in many ways.
Despite pro forma optin mechanism compliance, its normal in US practice for US companies to subvert the Euro-intent on such opt in regimes using safe harbor and other procedural tricks : in the US, you will find that as a consumer one cannot connect to one's commodity service provider if you FAIL TO AGREE TO OPT IN to the data retention policy.
US practice on "privacy-regime subversion" goes further: the politics of Federal and State governments often manipulate public policy (usually and LEGITIMATELY by funding mandates) so that the insurers inevitably set the audit/practices standards so all providers REQUIRE the retention policy, thus subverting the consumer-protective optin policy intent, set by the EU Directive. but its America! They get to do what they want, too, for their own consumer standards!
This is just like today: phone a US health account insurer to discuss a claim, and it will tell you they are recording the call "for quality purposes". You can opt out, and thus the provider will simply drop the call, interdicting "phone" support... Your optin choice! Of course, it's a semantic lie (the "quality" part; its their to collect evidence of your claim fraud...); but this is reality for consumers. If YOU don't drop the call your side, post notification, you have accepted their policy by failing to opt out. The legal presumptions have been set to suit this bias, in the US sphere. And, we just say a manual legal-obligation passing protocol in effect. Could TLS Evidence do the same, for the web-equivalent via https? That is the real question the authors are posing.
note, I'm not saying to IETF: don't do TLS-Evidence-type obligation passing protocols: I cant, having proposed them myself in similar forums, and can see great value in instrumenting privacy policy (and other "battle-of-the-terms" negotiations.
But, on "wiretapping", we ALL ON THE SAME SIDE, we have to move beyond good/evil level debate over wiretapping/data-retention etc. As US govt policy has clear given ground - by acceding to decent confidentiality channels in standards - we have to reciprocate and thus move the privacy debate on... beyond "sticks and stones" grade name calling debates of the last 20 years.
TLS Evidence is broken in terms of SSL architecture; but it can be fixed. The only question is, do we want to, and is it the right timing? For example, should IETF simply wait 2-3 years until the US national id card debate is more settled, first?
-Martin _______________________________________________ TLS mailing list TLS@xxxxxxxxxxxxxx https://www1.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@xxxxxxxxxxxxxx https://www1.ietf.org/mailman/listinfo/tls