[Fwd: The IETF's position on technology to support legal intercept]

Christian Groves Christian.Groves at ERICSSON.COM
Mon Oct 11 20:09:18 EDT 1999 

G'Day all,

This may be of some interest.

Cheers, Christian

-------- Original Message --------
Subject: The IETF's position on technology to support legal intercept
Date: Mon, 11 Oct 1999 15:47:10 -0400
From: The IESG <iesg-secretary at ietf.org>
Reply-To: raven at ietf.org
To: IETF-Announce: ;
CC: raven at ietf.org


The use of the Internet for services that replace or supplement
traditional telephony is, predictably, causing discussions in many
countries about the point at which special rules about telephony
services begin to apply to Internet service providers.  In many
countries, these rules could impose new legal obligations on ISPs,
particularly requirements to comply with requests from law enforcement
agencies or regulators to intercept, or gather and report other
information about, communications. For example many traditional
telephony devices, especially central-office switches, sold in those
countries are required to have built-in wiretapping capabilities to
allow telephone carriers to fulfill these obligations.

A number of IETF working groups are currently working on protocols to
support telephony over IP networks.  The wiretap question has come up
in one of these working groups, but the IESG has concluded that the
general questions should be discussed, and conclusions reached, by the
entire IETF, not just one WG.  The key questions are:

  "should the IETF develop new protocols or modify existing protocols
  to support mechanisms whose primary purpose is to support wiretapping
  or other law enforcement activities"

  and

  "what should the IETF's position be on informational documents that
  explain how to perform message or data-stream interception without
  protocol modifications".

We would like to encourage discussion of these questions on the new
raven at ietf.org mailing list. Subscription requests should be mailed to
raven-request at ietf.org OR subscribe via the web at
http://www.ietf.org/mailman/listinfo/raven

Time will be allocated at the Plenary session at the November IETF to
discuss this orally and try to draw a consensus together. (PLEASE
DISCUSS THIS ON THE NEW MAILING LIST AND NOT ON THE GENERAL IETF LIST)

In addition to the general questions identified above, we believe it
would
be helpful for mailing list comments to address the following more
specific
questions:

  Adding wiretap capability is by definition adding a security hole.
  Considering the IETF's commitment to secure protocols, is it a
reasonable

  thing to open such a hole to meet these requirements?

  Should the IETF as an international standards organization shape its
  protocols to support country-specific legal requirements?

  If the companies who employ the IETF participants and deploy the
  IETF's technology feel that having wiretap capability is a business
  necessity due to the regulatory requirements in the countries where
  they want to sell their products, would that make a difference to the
  IETF position on this subject?

  What is the appropriateness or feasibility of standardizing mechanisms
  to conform to requirements that may change several times over the life
  cycle of equipment built to conform to those standards?

  When IPv6 was under development, the IETF decided to mandate an
  encryption capability for all devices that claim to adhere to those
  standards.  This was done in spite of the fact that, at the time the
  decision was made, devices meeting the IPv6 standard could not then
  be exported from the U.S. nor could they be used in some countries.
  Is that a precedent for what to do in this case?

  Could the IETF just avoid specifying the part of the technology that
  supports wiretapping, presumably assuming that some industry
consortium
  or other standards organization would do so?  Would letting that
  responsibility fall to others weaken the IETF's control over its own
  standards and traditional areas?

  If these functions must be done, is it better for the IETF to do them
  so that we can ensure they are done in the most secure way and, where
  permitted by the regulations, to ensure a reliable audit capability?

  What would the image of the IETF be if we were to refuse to
standardize
  any technology that supported wiretapping? In the Internet community?
  In the business community? To the national regulatory authorities?

The goal of the mailing list and then plenary session is to address the
broad policy and direction issue and not specific technical issues such
as where exactly in an architecture it would be best to implement
wiretapping if one needed to do so.  Nor are they to address what
specific functions might be needed to implement wiretapping under which
countries' laws.  The intent is basically to discuss the question of
what stance the IETF should take on the general issue.

More information about the sg16-avd mailing list