Day One of the 114th IETF meeting in Philadelphia USA.
With privacy a key consideration in new protocol design, cryptography has become a major focus of IETF activities. The Internet Research Task Force (IRTF) has the Crypto Forum Research Group where new cryptography schemes are brought forward and vetted for use in IETF protocols. Well, new is a misnomer. Much of the mathematics has long been defined, at least at its core, and the work is rather being brought into the IETF context where important engineering considerations apply: use of memory (at rest or in flight), processing required, round-trips required, etc.. Of significance at this meeting, mechanisms for blinding a digitial signature are in high demand given the prevalence of multi-tiered approaches to privacy (that is, approaches that insert one or more proxies between entities in a transaction). Something similar is in the works for cryptographic keys. A number of IETF protocol specifications, still in development, are in line to receive these mathematical gems including Privacy Pass, Private Access Tokens, Oblivious HTTP Application Intermediation and others. An excellent summary of the National Institute for Standards and Technology (NIST) Post-Quantum Cryptography contest was also provided. The topic itself, let alone the solutions chosen, is not for the weak-kneed.
Among IETF’s most difficult challenges - for those of us interested in privacy - is the massive amount of surveillance that Internet users endure in everyday life. One problem is simply defining what surveillance means, in the commercial rather than law enforcement sense. Toward that end, the Privacy Enhancements and Assessments Research Group hosted an excellent first principles presentation teasing out ideas around decoupling who we are versus what we do, and specifically architectures and design principles to increase decoupling for the purpose of preserving privacy. IETF has a new Working Group looking at Privacy Preserving Measurement where some of the decoupling ideas are key. While one approach to privacy preserving measurement has been presented to IETF in the past, PEARG hosted a well-considered survey presentation that looked at a number of techniques in this field at different stages of development. Not considered here: the Clean Insights project, with which Guardian Project is associated and which was perhaps the first to take a user-consent approach, and the Open Differential Privacy Project which seeks to make its tools explicitly transparent for public scrutiny.