In rebuttal to Fred Cohen's response to my piece that you published in Cipher, I'd just like to make a few points.

I think he has his facts wrong, in the first place; I know whatever 'access control' mechanism he refers to is not there in the IP design, since I was part of the original standards definition process. If Fred would like to name which IP feature, X, he thinks defines a content level access control policy, I will be happy to respond in more detail. But all of the fields in the IP header are designed to manage the resources and logic involved in routing of packets between the source and destination, not to carry content level access control policy information.

In the second place, he seems to attribute to me motivations that I don't have; I personally think internet service providers ought to help users control undesired access to content - but I think that assistance is best achieved by encouraging appropriate use of well-known end-to-end mechanisms (such as content warning labels and encryption-based authentication) that enable users and suppliers of high-level content to implement workable policy choices.

In the third place, he attacks my claim that the scalability of the Internet architecture has benefited from choosing to follow the end-to-end approach, by arguing that some non-end-to-end feature X has been there all along, but not implemented. Had this feature X been implemented, his argument might make sense, but I'm struggling to understand how he convinces himself that this unimplemented and possibly illusory counterexample shows that the end-to-end approach has not been a main contributor to scalability.

Finally, while likening the Internet carriers attitude to the 'common carrier' principle, he characterizes 'indecent' communications as 'attacks'. This is an odd description of indecency on the Web, wherein the indecent material many are concerned with are files or web pages that are passively available, but easily discovered by an interested seeker, and perhaps easily discovered by accident. The situation seems more like the presence of 'dirty' books in a library than an 'attack'. It also seems odd to control 'attacks' by a voluntary mechanism that depends on the source of 'indecent' material to place labeling information in IP headers. Why would an 'attacker' choose to so vitiate his/her own efforts? Does a provocateur voluntarily wear a large red 'P' on their jacket?

My original note was concerned with the notion of 'Exon boxes' that would enforce the CDA in routers. The problem of protecting users against attacks whose goal is sabotage, denial of service, loss of privacy, etc. is quite different. Confounding all of these issues does not help resolve them.

- David