IETF Logo Mail Archive

Re: [Ecrit] Stephen Farrell's Discuss on draft-ietf-ecrit-additional-data-34: (with DISCUSS and COMMENT)

"Rosen, Brian" <Brian.Rosen@neustar.biz> Wed, 02 September 2015 14:52 UTC

Return-Path: <Brian.Rosen@neustar.biz>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F3181B4598; Wed, 2 Sep 2015 07:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMPdFT8DRvsV; Wed, 2 Sep 2015 07:52:43 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17ED01B4597; Wed, 2 Sep 2015 07:52:43 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id t82Ek5Eu031967; Wed, 2 Sep 2015 10:52:40 -0400
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 1wp13n06wg-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 02 Sep 2015 10:52:40 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.189]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0158.001; Wed, 2 Sep 2015 10:52:38 -0400
From: "Rosen, Brian" <Brian.Rosen@neustar.biz>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [Ecrit] Stephen Farrell's Discuss on draft-ietf-ecrit-additional-data-34: (with DISCUSS and COMMENT)
Thread-Index: AQHQ5Y8C1Qw9fTR1hU6qymoWFTGx9A==
Date: Wed, 02 Sep 2015 14:52:37 +0000
Message-ID: <0A860905-0339-4F7A-AB74-272B405C1496@neustar.biz>
References: <20150901234754.5160.40078.idtracker@ietfa.amsl.com>
In-Reply-To: <20150901234754.5160.40078.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.128.33]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FB9054E4A59B214881FFAB2FB4B861DF@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-09-02_06:2015-09-02,2015-09-02,1970-01-01 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <http://mailarchive.ietf.org/arch/msg/ecrit/SOvGphmiJCu1_Bwn1GO3Ni0yU-g>
Cc: "draft-ietf-ecrit-additional-data@ietf.org" <draft-ietf-ecrit-additional-data@ietf.org>, "ecrit@ietf.org" <ecrit@ietf.org>, "draft-ietf-ecrit-additional-data.ad@ietf.org" <draft-ietf-ecrit-additional-data.ad@ietf.org>, "ecrit-chairs@ietf.org" <ecrit-chairs@ietf.org>, "draft-ietf-ecrit-additional-data.shepherd@ietf.org" <draft-ietf-ecrit-additional-data.shepherd@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [Ecrit] Stephen Farrell's Discuss on draft-ietf-ecrit-additional-data-34: (with DISCUSS and COMMENT)
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 14:52:45 -0000

I’m okay with the MUST NOT except, and I can imagine other uses for these that will work fine if we write a document that explains them.

I’m strongly against standards track for extensions.  There are a number of organizations who have expertise that need to be able to define the data.  We can’t be experts in all things.  An example is that we’re going to extend for medical data useful to a first responder.  Clearly has major privacy issues, but we’re not the experts in that, and those that are don’t write RFCs.  NENA, the 9-1-1 organization in North America is working on extensions for location related data, and also knows 10X more about location data for emergency response than IETF does.  We need to let the experts do their jobs.

Brian

> On Sep 1, 2015, at 4:47 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-ecrit-additional-data-34: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ecrit-additional-data/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> I've two things I'd like to chat about. (Note: I'm not trying
> here to insist on my preferred outcome, but I would like to
> have the discussion or else be pointed at where the WG 
> already did that.)
> 
> (1) section 3: You say these MAY be used.  I'm not
> sure that's a good option.  I think the data
> minimisation recommendations argued for in RFC6973 and
> RFC7258 would argue to add a MUST NOT. For example,
> saying that these additional data MUST NOT be sent in
> any non-emergency call without explicit user
> permission on a per-call basis or something similar?
> I have to admit I'm nervous that defining all of these
> may mean that some UA somewhere starts sending some of
> them in other calls without asking. A restriction
> along those lines would also be more in line with
> webrtc too perhaps. But maybe this was discussed in
> the WG, having considered those privacy issues - was
> it? Either way, would adding such a "MUST NOT except
> if..." be a good plan?  4.3.4 is a good example of the
> kind of thing I'd not want easily emitted in a call.
> 
> (2) I'd like to (perhaps briefly) argue that the
> registries here should require more than expert
> review. Extensibility in dealing with what will
> inevitably be highly privacy sensitive data structures
> that are vulnerable to misuse once registered seems to
> perhaps call for a more stringent registration regime.
> The document itself also argues (in 4.3.7) that adding
> new kinds of data here can be counter productive for
> emergency call handling, so being more conservative in
> what we add seems unusually correct here. I'd like to
> suggest we require standards track for extensions.
> The following very recent -00 draft [1] makes some
> related arguments (but of course has no standing in
> the IETF so is just offered as a way to avoid
> repeating some arguments, not as an appeal to
> authority.)
> 
>   [1]
> https://tools.ietf.org/html/draft-nottingham-transport-metadata-impact-00
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> - abstract: the "or by reference" point is made twice
> in the abstract
> 
> - intro: floor plans? HVAC status? really? Why not
> contact lists? proximity of friends? That (or
> inferring as much) seems to me to be going too far, if
> applied to all calls. I'd say just saying that this
> could be extended in future by other standards-track
> specifications is enough. (See also discuss points above)
> 
> - intro: Wedding anniversary? That's surely not
> relevant to a PSAP. 
> 
> - figure 5: "prison" is out of context here, I'd suggest 
> deleting it. If not, why not add hospital, power station 
> and many other kinds of building? There may be some 
> country specific issue or technical here, but labelling 
> that with "prison" seems inappropriate to me. 
> 
> - 4.3.8: sorry I don't get the privacy argument, can
> you try explain it to me?  (I didn't know it was
> possible to tempt an implementation, so the language
> there could be improved for sure:-)
> 
> - section 5: good that this is HTTPS only. I think
> provisioning the PKI for such a thing is easily done
> these days and is rightly not optional. It might be
> useful to say that TLS here needs to follow BCP195.  I
> agree with the earlier comment that you should be
> clear as to when mutually authenticated TLS is
> required. The secdir review [2] also raised similar
> issues and it'd be good to see responses to that too.
> (Yes, that review only arrived today so it's entirely
> reasonable to not have responded so far.)
> 
>   [2]
> https://www.ietf.org/mail-archive/web/secdir/current/msg05982.html
> 
> - section 8: the sizes of the various additional data
> items here could be characteristic and leak value
> information regardless of TLS or not-TLS - perhaps add
> a warning that these may enable relatively simple
> traffic analysis. And wouldn't it be nice if someone
> had done the analysis of this potential vulnerability?
> This is btw a real issue - recall that avatar icon
> image size was usable to identify 30+% of contacts in
> one social network even over TLS, but before the
> provider canonicalised the avatar image sizes. 
> 
> - Thanks for section 9. Good job.
> 
> 
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

v2.23.0 | Report a Bug | By Email