>The IETF's position on technology to support legal intercept
>
>* To: IETF-Announce: ;
>* Subject: The IETF's position on technology to support legal intercept
>* From: The IESG <iesg-secretary@ietf.org>
>* Date: Mon, 11 Oct 1999 15:47:10 -0400
>* cc: raven@ietf.org
>* Reply-to: raven@ietf.org
>* Sender: scoya@cnri.reston.va.us
>
>
>------------------------------------------------------------------------
>
>
>The use of the Internet for services that replace or supplement
>traditional telephony is, predictably, causing discussions in many
>countries about the point at which special rules about telephony
>services begin to apply to Internet service providers. In many
>countries, these rules could impose new legal obligations on ISPs,
>particularly requirements to comply with requests from law enforcement
>agencies or regulators to intercept, or gather and report other
>information about, communications. For example many traditional
>telephony devices, especially central-office switches, sold in those
>countries are required to have built-in wiretapping capabilities to
>allow telephone carriers to fulfill these obligations.
>
>A number of IETF working groups are currently working on protocols to
>support telephony over IP networks. The wiretap question has come up
>in one of these working groups, but the IESG has concluded that the
>general questions should be discussed, and conclusions reached, by the
>entire IETF, not just one WG. The key questions are:
>
> "should the IETF develop new protocols or modify existing protocols
> to support mechanisms whose primary purpose is to support wiretapping
> or other law enforcement activities"
>
> and
>
> "what should the IETF's position be on informational documents that
> explain how to perform message or data-stream interception without
> protocol modifications".
>
>We would like to encourage discussion of these questions on the new
>raven@ietf.org mailing list. Subscription requests should be mailed to
>raven-request@ietf.org OR subscribe via the web at
>http://www.ietf.org/mailman/listinfo/raven
>
>Time will be allocated at the Plenary session at the November IETF to
>discuss this orally and try to draw a consensus together. (PLEASE
>DISCUSS THIS ON THE NEW MAILING LIST AND NOT ON THE GENERAL IETF LIST)
>
>In addition to the general questions identified above, we believe it would
>be helpful for mailing list comments to address the following more specific
>questions:
>
> Adding wiretap capability is by definition adding a security hole.
> Considering the IETF's commitment to secure protocols, is it a reasonable
>
> thing to open such a hole to meet these requirements?
>
> Should the IETF as an international standards organization shape its
> protocols to support country-specific legal requirements?
>
> If the companies who employ the IETF participants and deploy the
> IETF's technology feel that having wiretap capability is a business
> necessity due to the regulatory requirements in the countries where
> they want to sell their products, would that make a difference to the
> IETF position on this subject?
>
> What is the appropriateness or feasibility of standardizing mechanisms
> to conform to requirements that may change several times over the life
> cycle of equipment built to conform to those standards?
>
> When IPv6 was under development, the IETF decided to mandate an
> encryption capability for all devices that claim to adhere to those
> standards. This was done in spite of the fact that, at the time the
> decision was made, devices meeting the IPv6 standard could not then
> be exported from the U.S. nor could they be used in some countries.
> Is that a precedent for what to do in this case?
>
> Could the IETF just avoid specifying the part of the technology that
> supports wiretapping, presumably assuming that some industry consortium
> or other standards organization would do so? Would letting that
> responsibility fall to others weaken the IETF's control over its own
> standards and traditional areas?
>
> If these functions must be done, is it better for the IETF to do them
> so that we can ensure they are done in the most secure way and, where
> permitted by the regulations, to ensure a reliable audit capability?
>
> What would the image of the IETF be if we were to refuse to standardize
> any technology that supported wiretapping? In the Internet community?
> In the business community? To the national regulatory authorities?
>
>The goal of the mailing list and then plenary session is to address the
>broad policy and direction issue and not specific technical issues such
>as where exactly in an architecture it would be best to implement
>wiretapping if one needed to do so. Nor are they to address what
>specific functions might be needed to implement wiretapping under which
>countries' laws. The intent is basically to discuss the question of
>what stance the IETF should take on the general issue.
>