| Internet-Draft | IETF Policy Interactions | July 2023 |
| Nottingham & Cooper | Expires 8 January 2024 | [Page] |
This document captures a list of interactions between IETF efforts and policy efforts.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://coopdanger.github.io/draft-ietf-policy-interactions/draft-cooper-policy-interactions.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-cooper-policy-interactions/.¶
Source for this draft and an issue tracker can be found at https://github.com/coopdanger/draft-ietf-policy-interactions.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document captures a list of interactions between IETF standards-related efforts and external policy efforts (e.g., regulation or legislation) around the world, past or present. The objective of this document is merely to catalogue these interactions in a single location.¶
Comments and additional suggestions of policy interactions not listed here should be submitted via the issue tracker at https://github.com/coopdanger/draft-ietf-policy-interactions.¶
THE IETF has a history of publishing documents that respond to policy developments surrounding the use of encryption, and more generally regarding access to communications.¶
[RFC1984] stated the IESG and IAB's position regarding legal constraints on encryption in 1996, with a focus on the effects on the Internet. The publication of the document was prompted in part by the controversy surrounding the US government's promotion of the Clipper Chip. The document was elevated to Best Current Practice (which requires IETF-wide consensus) in 2015.¶
[RFC2804] articulates why the IESG and IAB believed that it was not appropriate to accommodate wiretapping requirements from law enforcement, circa 2000.¶
[RFC3365] set a requirement for IETF standard protocols to use 'appropriate strong security mechanisms', including encryption. It was published as Best Current Practice in 2002.¶
[RFC7258] documents IETF consensus that pervasive monitoring is an attack, and thus should be mitigated in IETF protocols (often, using encryption). It was a response to the Snowden revelations, and followed the Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT) https://www.w3.org/2014/strint/, held jointly by the W3C and IAB. Follow-on work to implement [RFC7258] includes opportunistic encryption [RFC7435] [RFC8110] [RFC8164], data minimization [RFC7816] [RFC9156], improvements to the encryption ecosystem such as [ACME], and discussion of mandatory encryption in [HTTP2], [TLS13], and [QUIC].¶
[DOH] was a technical response to pervasive monitoring attacks on DNS.¶
Some related news reporting: * Proposal to regulate in Russia * GCHQ sends 'warning' to Google and Mozilla over DoH * Congressional scrutiny of DoH¶
[ECH] is a work-in-progress effort to respond to pervasive monitoring attacks on TLS SNI, which exposes the hostname =being connected to, even when several hostnames are served by the same IP address.¶
Some related news reporting: * Proposal to regulate in Russia * ESNI blocked in China¶
The development of the Session Initiation Protocol (SIP) in the early 2000s had involvement from regulators and their proxies. There is a very significant amount of PSTN interop built into SIP. See [RFC3261] and the rest of the SIP document suite.¶
The Emergency Context Resolution with Internet Technologies (ECRIT) working group, which began in the starting mid-2000s, had extensive involvement from people working for/with Public Safety Answering Points (PSAPs) as well as some input from telecom regulators such as the US Federal Communications Commission (FCC). See [RFC5222] and the rest of the document suite.¶
Secure Telephone Identity Revisited (STIR) and the related SHAKEN initiative are designed to combat caller ID spoofing that uses VoIP.¶
See [RFC8224], [RFC8225], [RFC8226], and [RFC8588].¶
Regulatory mandates to use STIR exist in the US, Canada, and France thus far.¶
The More Instant Messaging Interoperability (MIMI) working group is chartered to work on interoperability for encrypted messaging. This work was instigated based on requirements in the EU Digital Markets Act (DMA). Several of the key participants have met with European Commission (EC) staff and participated in an EC workshop on the topic. The area director and co-chairs are staying in touch with the EC staff focused on messaging interoperability.¶
The Protocol to Access Whitespaces (PAWS) working group was created based on requirements received from the FCC after they allocated TV whitespaces spectrum for unlicensed use.¶
The Large-Scale Measurement of Broadband Performance (LMAP) working group was created as a result of disparate efforts by Ofcom in the UK, the FCC, and the Body of European Regulators of Electronic Communications (BEREC), who were all running their own jurisdiction-specific broadband speed measurement efforts (several of them using a vendor which had its own proprietary measurement protocol). There were regulator participants involved in the protocol development effort.¶
There has been long-term involvement (including people in area director roles) from those involved with various CERTs and national cybersecurity authorities in several of the IETF's working groups focused on incident response and exchange of incident/vulnerability information: Managed Incident Lightweight Exchange (MILE), Security Automation and Continuous Monitoring (SACM), and DDoS Open Threat Signaling (DOTS).¶
In 2008, the IETF hosted a workshop that was spurred by an FCC action regarding P2P traffic throttling. See [RFC5594]. Related challenges associated with multiplexing flows with different characteristics were addressed in the Active Queue Management working group (see, e.g., [RFC7567]) and in the Congestion Exposure working group (see, e.g., [RFC7713]).¶
In addition to the IAB's coordination with the Internet Society on policy matters, the IAB also frequently contributes to policy and regulatory proceedings around the world. Some recent examples:¶
IAB workshops also frequently include regulatory or policy perspectives, for example, the unwanted traffic workshop and the CARIS workshop.¶
A number of the policy interactions above relate to security, encryption, and law enforcement access.¶
This document has no IANA actions.¶