The Internet is for End Users
mnot@mnot.net
http://www.mnot.net/
General
stakeholder
Internet standards serve and are used by a variety of communities. This document makes suggestions for explicitly identifying them, serving them, and determining how to resolve conflicts
between their interests, when necessary.
It also requires that Internet Standards consider end users as their highest priority concern.
The issues list for this draft can be found at https://github.com/mnot/I-D/labels/for-the-users.
The most recent (often, unpublished) draft is at https://mnot.github.io/I-D/for-the-users/.
Recent changes are listed at https://github.com/mnot/I-D/commits/gh-pages/for-the-users.
As the Internet has become prevalent in many societies, it has also unavoidably become a profoundly
political thing; it has helped overthrow governments, revolutionize social orders, control
populations and reveal people’s secrets. It has created wealth for some individuals and companies,
while destroying others’.
The IETF, while focused on technical matters, is not neutral about the purpose of its work :
The IETF community wants the Internet to succeed because we believe that the existence of the Internet, and its influence on economics, communication, and education, will help us to build a better human society.
However, the IETF is most comfortable making purely technical decisions; our process is defined to
favor technical merit, through our well-known bias towards “rough consensus and running code”.
Nevertheless, the running code that results from our process (when things work well) inevitably has
an impact beyond technical considerations, because the underlying decisions afford some uses, while
discouraging others. Or, in the words of Lawrence Lessig :
Ours is the age of cyberspace. It, too, has a regulator… This regulator is code — the software and hardware that make cyberspace as it is. This code, or architecture, sets the terms on which life in cyberspace is experienced. It determines how easy it is to protect privacy, or how easy it is to censor speech. It determines whether access to information is general or whether information is zoned. It affects who sees what, or what is monitored. In a host of ways that one cannot begin to see unless one begins to understand the nature of this code, the code of cyberspace regulates.
All of this raises the question: Who do we go through the pain of rough consensus and write that
running code for?
There are a variety of identifiable parties in the larger Internet community that standards can
provide benefit to, such as (but not limited to) end users, network operators, schools, equipment
vendors, specification authors, specification implementers, content owners, governments,
non-governmental organisations, social movements, employers, and parents.
Successful specifications will provide some benefit to all of the relevant parties, because
standards do not represent a zero-sum game. However, there are often situations where we need to
balance the benefits of a decision between two (or more) parties.
We regularly decide to take up work against those who attempt to use the Internet for goals that we
do not believe are beneficial; for example, those who attempt to disrupt Internet access
(denial-of-service attackers) and those who seek to obtain data or control over a system that is
not authorised by its administrator.
Additionally, efforts are sometimes brought to the IETF that represent the needs of some parties
but at the expense of others. When presented with such a proposal, we need to decide how to handle
it.
Currently, these kinds of decisions occur in an ad hoc fashion, often without explicitly being
discussed. This approach works reasonably well in many cases; even if a party is not directly
represented in the process, there are often advocates for their interests, and ultimately protocols
that disadvantage a particular party tend to be either rejected by it or eventually replaced.
However, we do sometimes expend a considerable amount of energy mitigating potential harm to
under-represented members of the Internet community, and often such harm is not so onerous or
obvious as to dissuade them from using something (e.g., ).
In other words – because our decisions have ethical implications, we should consider their impact
and determine whether it is within our core values, and do so in a well-defined, open fashion.
To facilitate that, outlines a set of guidelines for identifying the relevant
parties to an Internet standard. The aim of doing so is to both clarify the decision-making
process, and to aid external parties when engaging with and judging the results of the standards
process.
In doing so, it becomes clear that Internet standards that give the highest priority to end users
have the best chance of success, and of helping the IETF to succeed in its mission. As a result,
mandates that other parties cannot have a higher priority.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
“RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in
.
Internet standards MUST NOT consider any other party to have higher priority over end users.
While networks need to be managed, employers and equipment vendors need to meet business goals,
etc., the IETF’s mission is to “build a better human society” and – on the Internet –
society is composed of what we call “end users.”
Furthermore, the success of the Internet to date is arguably due largely to its bias towards
end user concerns; without a firm preference for their benefit, trust in the Internet will
erode, and its value – for everyone – will be greatly diminished.
This does not mean that end users have ultimate priority; there may be cases where genuine
technical need of another party requires that end user requirements compromise. However, such
tradeoffs need to be carefully examined, and avoided when there are alternate means of achieving
the desired goals. If they cannot be, these choices and reasoning SHOULD be carefully documented.
For example, IPv6 identifies each client with a unique address – even though this
provides a way to track end user activity and helps identify them – because it is technically
necessary to provide networking (and despite this, there are mechanisms like to
mitigate this effect, for those users who desire it).
This also does not mean that the IETF community has any specific insight into what is “good for end
users”; as before, we will need to interact with the greater Internet community and apply our
process to help us make decisions, deploy our protocols, and ultimately determine their success or
failure.
Finally, this requirement only comes into force when an explicit conflict between the interests of
users and other relevant parties is explicitly encountered (e.g., by being brought up in the
Working Group). It does not imply that a standards effort needs to be audited for user impact, or
every decision weighed against user interests.
Internet standards efforts are encouraged to consider and document relevant parties and their interrelationships.
For example, HTML does so using the “priority of constituencies” in the HTML Design Principles
:
In case of conflict, consider users over authors over implementors over specifiers over theoretical purity. In other words costs or difficulties to the user should be given more weight than costs to authors; which in turn should be given more weight than costs to implementors; which should be given more weight than costs to authors of the spec itself, which should be given more weight than those proposing changes for theoretical reasons alone. Of course, it is preferred to make things better for multiple parties at once.
Note how the relative priority is explicit; this is intentional and encouraged. However, it need
not be a strict ranking in all cases; in some areas, it can be more useful to give equal weight to
parties, so as to encourage the tussle .
Likewise, the responsibilities of, or expectations upon, different parties to a standard can vary
greatly. For example, end users of Web browsers cannot be reasonably expected to make informed
decisions about security, and therefore design decisions there are biased towards default security.
Finally, note “In case of conflict.” This wording makes it clear that relevant parties need not be
considered in every decision, because their interests are not always in conflict; it is only
important when a direct conflict of their interests is encountered.
Extensions to existing standards out to consider consider how they interact with the extended
standard’s relevant parties. If they are not yet documented, this could be done in coordination
with that standard’s community and the IESG.
The burden of this documentation need not be high; if HTML can do it in a paragraph, so can most
other standards. While it might be appropriate in a separate document (e.g., a requirements or use
cases draft) or the specification itself, documenting relevant parties in the WG charter has
considerable benefits, since it clarifies their relationships up-front.
Inevitably, documenting and interpreting these roles will become controversial; this is to be
expected, and is still preferable to avoiding the discussion. The point is to make it explicit, so
that the affected parties can be made aware of the discussion, and judge the outcome.
Changes in the use, deployment patterns, legal context, or other factors of a standard can bring
pressure to re-balance the priorities of existing parties, or insert new ones (usually, when a
standard is either extended or evolved).
Such changes ought not diminish the priority of existing relevant parties without informed consent.
Note that this may preclude the change completely, as it is often impossible to gain the informed
consent of a large or diffuse group (e.g., end users).
For example, there has been increasing pressure to change HTTP to make it more amenable
to optimization, filtering, and interposition of other value-added services, especially in the face
of wider use of encryption (through HTTPS URIs). However, since HTTPS is already defined as a
two-party protocol with end-to-end encryption, inserting a third party in any fashion would violate
the expectations of two existing parties; end users and content publishers. Therefore, the HTTP
Working Group has refused to consider such changes.
In protocol design, intermediation is often thought of as “those parties on the direct path between
two people attempting to communicate”; e.g., middleboxes, proxies and so on.
When discussing the parties relevant to an Internet standard, this definition can be expanded to
include those parties that have the ability to prevent or control communication between two
parties. This naturally includes middleboxes, but can also include third parties not directly
on-path.
For example, HTTP has on-path intermediaries (proxies, gateways, etc.), but also off-path
intermediaries, in the form of the DNS registrar, the DNS server, and also the Certificate
Authority if TLS is in use. Certificate Transparency potentially adds yet another
intermediary to this protocol suite.
While there might be a good technical reason to interpose such an intermediary, it also introduces
a new party, and thus needs to be done with due consideration of the impact on other parties.
Therefore, unnecessary parties ought be avoided when possible in Internet standards.
This document does not require action by IANA.
This document does not have direct security impact; however, applying its guidelines (or failing
to) might affect security positively or negatively.
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Internet Protocol, Version 6 (IPv6) Specification
This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng. [STANDARDS-TRACK]
A Mission Statement for the IETF
This memo gives a mission statement for the IETF, tries to define the terms used in the statement sufficiently to make the mission statement understandable and useful, argues why the IETF needs a mission statement, and tries to capture some of the debate that led to this point. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Privacy Extensions for Stateless Address Autoconfiguration in IPv6
Nodes use IPv6 stateless address autoconfiguration to generate addresses using a combination of locally available information and information advertised by routers. Addresses are formed by combining network prefixes with an interface identifier. On an interface that contains an embedded IEEE Identifier, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node. [STANDARDS-TRACK]
HTTP State Management Mechanism
This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965. [STANDARDS-TRACK]
Code Is Law: On Liberty in Cyberspace
Harvard Magazine
Tussle in Cyberspace: Defining Tomorrow’s Internet
MIT Lab for Computer Science
MIT Lab for Computer Science
MIT Lab for Computer Science
USC Information Sciences Institute
HTML Design Principles
Opera Software ASA
Apple Inc
Certificate Transparency
This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.
Thanks to Jacob Appelbaum for making the suggestion that led to this document.
Thanks also to the WHATWG for blazing the trail.
Thanks to Edward Snowden for his comments regarding the priority of end users at IETF93.
Thanks to Harald Alvestrand for his substantial feedback and Stephen Farrell, Joe Hildebrand, Russ
Housley, Niels ten Oever, and Martin Thomson for their suggestions.