[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 draft-iab-for-the-users

Network Working Group                                      M. Nottingham
Internet-Draft                                             July 31, 2017
Intended status: Best Current Practice
Expires: February 1, 2018


                     The Internet is for End Users
                   draft-nottingham-for-the-users-05

Abstract

   This document requires that Internet Standards consider end users as
   their highest priority concern.

Note to Readers

   The issues list for this draft can be found at
   https://github.com/mnot/I-D/labels/for-the-users.

   The most recent (often, unpublished) draft is at
   https://mnot.github.io/I-D/for-the-users/.

   Recent changes are listed at https://github.com/mnot/I-D/commits/gh-
   pages/for-the-users.

   See also the draft's current status in the IETF datatracker, at
   https://datatracker.ietf.org/doc/draft-nottingham-for-the-users/.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 1, 2018.







Nottingham              Expires February 1, 2018                [Page 1]


Internet-Draft        The Internet is for End Users            July 2017


Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   4
   2.  The Internet is for End Users . . . . . . . . . . . . . . . .   4
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   7
   Appendix B.  Frequently Asked Questions . . . . . . . . . . . . .   7
     B.1.  Why do we need this?  . . . . . . . . . . . . . . . . . .   7
     B.2.  How will this impact my Working Group?  . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The IETF, while focused on technical matters, is not neutral about
   the purpose of its work in developing the Internet [RFC3935]:

      The IETF community wants the Internet to succeed because we
      believe that the existence of the Internet, and its influence on
      economics, communication, and education, will help us to build a
      better human society.

   However, the IETF is most comfortable making what we believe to be
   purely technical decisions; our process is defined to favor technical
   merit, through our well-known bias towards "rough consensus and
   running code".

   Nevertheless, the running code that results from our process (when
   things work well) inevitably has an impact beyond technical



Nottingham              Expires February 1, 2018                [Page 2]


Internet-Draft        The Internet is for End Users            July 2017


   considerations, because the underlying decisions afford some uses
   while discouraging others; while we believe we are making purely
   technical decisions, in reality that may not be possible.  Or, in the
   words of Lawrence Lessig [CODELAW]:

      Ours is the age of cyberspace.  It, too, has a regulator... This
      regulator is code -- the software and hardware that make
      cyberspace as it is.  This code, or architecture, sets the terms
      on which life in cyberspace is experienced.  It determines how
      easy it is to protect privacy, or how easy it is to censor speech.
      It determines whether access to information is general or whether
      information is zoned.  It affects who sees what, or what is
      monitored.  In a host of ways that one cannot begin to see unless
      one begins to understand the nature of this code, the code of
      cyberspace regulates.

   This impact has become significant.  As the Internet increasingly
   mediates key functions in societies, it has unavoidably become
   profoundly political; it has helped people overthrow governments and
   revolutionize social orders, control populations and reveal secrets.
   It has created wealth for some individuals and companies, while
   destroying others'.

   All of this raises the question: For whom do we go through the pain
   of gathering rough consensus and writing running code?

   There are a variety of identifiable parties in the larger Internet
   community that standards can provide benefit to, such as (but not
   limited to) end users, network operators, schools, equipment vendors,
   specification authors, specification implementers, content owners,
   governments, non-governmental organisations, social movements,
   employers, and parents.

   Successful specifications will provide some benefit to all of the
   relevant parties, because standards do not represent a zero-sum game.
   However, there are often situations where we need to balance the
   benefits of a decision between two (or more) parties.

   To help clarify such decisions, Section 2 mandates that end users
   have the highest priority.

   Our goal is not to avoid all potential harm to or constraint of end
   users; rather, it's to give guidance in a particular situation - when
   we've identified a conflict between the needs of end users and
   another stakeholder (e.g., a network operator), and need a
   "tiebreaker", we should err on the side of finding a solution that
   doesn't harm end users.




Nottingham              Expires February 1, 2018                [Page 3]


Internet-Draft        The Internet is for End Users            July 2017


   Note that "harm" is not defined in this document; that is something
   that the relevant body (e.g., Working Group) needs to discuss.  The
   IETF has already established a body of guidance for such decisions,
   including (but not limited to) [RFC7754] on filtering, [RFC7258] and
   [RFC7624] on pervasive surveillance, [RFC7288] on host firewalls, and
   [RFC6973] regarding privacy considerations.

   Over time, additional guidance is likely to be defined.  In the
   absence of specific guidance on a given topic, this document provides
   a general approach to making such decisions.

   Doing so helps the IETF achieve its mission, and also helps to assure
   the long-term health of the Internet.  By prioritising the concerns
   of end users, we assure that it reaches the greatest number of
   people, thereby delivering greater utility by maximising its network
   effect.

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  The Internet is for End Users

   Internet standards MUST consider the end users of the Internet to
   have priority over every other party.

   While networks need to be managed, employers and equipment vendors
   need to meet business goals, and so on, the IETF's mission is to
   "build a better human society" [RFC3935] and - on the Internet -
   society is composed of end users, along with groups of them forming
   business, governments, clubs, civil society organizations, and other
   institutions that influence it.

   By "end users," we mean non-technical users whose activities our
   protocols are designed to support.  Thus, the end user of a protocol
   to manage routers is not a router administrator; it is the people
   using the network that the router operates within.

   This does not mean that the IETF community has any specific insight
   into what is "good for end users"; as always, we will need to
   interact with the greater Internet community and apply our process to
   help us make decisions, deploy our protocols, and ultimately
   determine their success or failure.

   It does means that, because end users are not technical experts, we
   have a responsibility to consider their needs, and will need to



Nottingham              Expires February 1, 2018                [Page 4]


Internet-Draft        The Internet is for End Users            July 2017


   engage with those who understand how our work will affect end users,
   such as civil society organisations, as well as governments,
   businesses and other groups representing some aspect of end user
   needs.

   When a proposed solution to a problem has a benefit to some other
   party at the identified expense of end users, we will find a
   different solution or find another way to frame the problem.

   There may be cases where genuine technical need requires compromise.
   However, such tradeoffs need to be carefully examined, and avoided
   when there are alternate means of achieving the desired goals.  If
   they cannot be, these choices and reasoning SHOULD be carefully
   documented.

   For example, IPv6 [RFC2460] identifies each client with a unique
   address - even though this provides a way to track end user activity
   and helps identify them - because it is technically necessary to
   provide networking (and despite this, there are mechanisms like
   [RFC4941] to mitigate this effect, for those users who desire it).

   Finally, this requirement only comes into force when an explicit
   conflict between the interests of end users and other relevant
   parties is encountered (e.g., by being brought up in the Working
   Group).  It does not imply that a standards effort needs to be
   audited for user impact, or every decision weighed against end user
   interests.

3.  IANA Considerations

   This document does not require action by IANA.

4.  Security Considerations

   This document does not have direct security impact; however, failing
   to prioritise end users might well affect their security negatively
   in the long term.

5.  References

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.





Nottingham              Expires February 1, 2018                [Page 5]


Internet-Draft        The Internet is for End Users            July 2017


5.2.  Informative References

   [CODELAW]  Lessig, L., "Code Is Law: On Liberty in Cyberspace", 2000,
              <http://harvardmagazine.com/2000/01/code-is-law-html>.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
              December 1998, <http://www.rfc-editor.org/info/rfc2460>.

   [RFC3935]  Alvestrand, H., "A Mission Statement for the IETF",
              BCP 95, RFC 3935, DOI 10.17487/RFC3935, October 2004,
              <http://www.rfc-editor.org/info/rfc3935>.

   [RFC4941]  Narten, T., Draves, R., and S. Krishnan, "Privacy
              Extensions for Stateless Address Autoconfiguration in
              IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007,
              <http://www.rfc-editor.org/info/rfc4941>.

   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973,
              DOI 10.17487/RFC6973, July 2013,
              <http://www.rfc-editor.org/info/rfc6973>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7282]  Resnick, P., "On Consensus and Humming in the IETF",
              RFC 7282, DOI 10.17487/RFC7282, June 2014,
              <http://www.rfc-editor.org/info/rfc7282>.

   [RFC7288]  Thaler, D., "Reflections on Host Firewalls", RFC 7288,
              DOI 10.17487/RFC7288, June 2014,
              <http://www.rfc-editor.org/info/rfc7288>.

   [RFC7624]  Barnes, R., Schneier, B., Jennings, C., Hardie, T.,
              Trammell, B., Huitema, C., and D. Borkmann,
              "Confidentiality in the Face of Pervasive Surveillance: A
              Threat Model and Problem Statement", RFC 7624,
              DOI 10.17487/RFC7624, August 2015,
              <http://www.rfc-editor.org/info/rfc7624>.




Nottingham              Expires February 1, 2018                [Page 6]


Internet-Draft        The Internet is for End Users            July 2017


   [RFC7754]  Barnes, R., Cooper, A., Kolkman, O., Thaler, D., and E.
              Nordmark, "Technical Considerations for Internet Service
              Blocking and Filtering", RFC 7754, DOI 10.17487/RFC7754,
              March 2016, <http://www.rfc-editor.org/info/rfc7754>.

Appendix A.  Acknowledgements

   Thanks to Edward Snowden for his comments regarding the priority of
   end users at IETF93.

   Thanks to the WHATWG for blazing the trail with the Priority of
   Constituencies.

   Thanks to Harald Alvestrand for his substantial feedback and Stephen
   Farrell, Joe Hildebrand, Lee Howard, Russ Housley, Niels ten Oever,
   Martin Thomson, and Brian Trammell for their suggestions.

Appendix B.  Frequently Asked Questions

B.1.  Why do we need this?

   It's not uncommon for proposals to be made in the IETF for a change
   to a protocol - one that's being designed or already deployed - to
   make certain tasks easier, but in a way that causes some parties
   concern about impact upon end users.

   For example, network operators approached the HTTP Working Group in
   2014 with a proposal to allow an "explicitly authenticated proxy" to
   be involved in HTTPS connections, so that operators could interpose
   new services, improve network efficiency and meet regulatory
   mandates.

   After much discussion, the Working Group declined the new work, on
   the grounds that HTTPS was explicitly documented as an end-to-end
   encrypted protocol [RFC7230], and couldn't be changed retroactively.

   Having a policy like this in place would have given the Working Group
   a way to hold a more productive and limited discussion, because it
   would be focused on the question "Does intercepting HTTPS have an
   unacceptable potential for harming end users?"

   Achieving even rough consensus [RFC7282] on that would allow the
   Working Group to conclude discussion more quickly, while still giving
   the proposal a fair hearing.

   That discussion would still necessarily need to encompass the nature
   of the harm, various tradeoffs and possible alternatives, as
   discussed above.  Nevertheless, having _some_ form of guidance



Nottingham              Expires February 1, 2018                [Page 7]


Internet-Draft        The Internet is for End Users            July 2017


   regarding the overall goals and priority of constituencies does help
   Working Groups in this situation.

B.2.  How will this impact my Working Group?

   When someone identifies a potential impact upon end users in a
   document or proposal, the Working Group should assess it.  If the
   Working Group does reach consensus (even rough, as per [RFC7282])
   that this is the case, the risk will need to be mitigated, or an
   alternative approach found.

   As explained above, there might be cases where the Working Group
   determines that there is potential for end user impact, but that it
   is the "least worst" option.  These cases are encouraged to be
   documented (e.g., in Security Considerations).

Author's Address

   Mark Nottingham

   Email: mnot@mnot.net
   URI:   https://www.mnot.net/





























Nottingham              Expires February 1, 2018                [Page 8]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/