IETF Logo Mail Archive

Re: [Ecrit] Ben Campbell's Yes on draft-ietf-ecrit-additional-data-34: (with COMMENT)

Gunnar Hellström <gunnar.hellstrom@omnitor.se> Sat, 03 October 2015 21:58 UTC

Return-Path: <gunnar.hellstrom@omnitor.se>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AC81A88CE for <ecrit@ietfa.amsl.com>; Sat, 3 Oct 2015 14:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JtrIET-zZRWV for <ecrit@ietfa.amsl.com>; Sat, 3 Oct 2015 14:58:15 -0700 (PDT)
Received: from bin-vsp-out-03.atm.binero.net (bin-mail-out-05.binero.net [195.74.38.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03C031A872A for <ecrit@ietf.org>; Sat, 3 Oct 2015 14:58:14 -0700 (PDT)
X-Halon-ID: d52d31eb-6a19-11e5-98bf-0050569116f7
Authorized-sender: gunnar.hellstrom@omnitor.se
Received: from [192.168.2.48] (unknown [77.53.228.139]) by bin-vsp-out-03.atm.binero.net (Halon Mail Gateway) with ESMTPSA for <ecrit@ietf.org>; Sat, 3 Oct 2015 23:58:08 +0200 (CEST)
To: ecrit@ietf.org
References: <20150901144212.18261.13357.idtracker@ietfa.amsl.com> <p06240600d21b6a32baa3@[99.111.97.136]> <13A6EAEC-97BE-43B3-B0D8-2056385A8EB6@nostrum.com> <560FC5AF.3090302@omnitor.se> <561023C2.3080507@alum.mit.edu>
From: Gunnar Hellström <gunnar.hellstrom@omnitor.se>
Message-ID: <56104F6F.1010301@omnitor.se>
Date: Sat, 03 Oct 2015 23:58:07 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <561023C2.3080507@alum.mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ecrit/lvM1qts7I3aa9kvvWpGqOZt6FAA>
Subject: Re: [Ecrit] Ben Campbell's Yes on draft-ietf-ecrit-additional-data-34: (with COMMENT)
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Oct 2015 21:58:18 -0000

Den 2015-10-03 kl. 20:51, skrev Paul Kyzivat:
> On 10/3/15 8:10 AM, Gunnar Hellström wrote:
>> A comment on the 24/7 discussion on section 4.1.5:
>> Relay services are supposed to be data providers.
>> Sadly, the deployment of relay services is very slow in some regions,
>> and if they exist, they often operate limited hours.
>> This is of course a problem when making emergency calls, but the wording
>> in 4.1.5 should not discourage relay services from registering and
>> providing data because they currently have limited opening hours.
>> ----------------
>> Another issue around relay services: It would be good to get a URI that
>> can be used for bridging in the relay service together with a call-back.
>> This is because the relay service might have been invoked in a way so
>> that the call-back address to the original caller does not automatically
>> invoke the relay service. None of the provided data seem to specify that
>> kind of URI.
>> ----------------
>
> If the relay service was included in such a way that callbacks don't 
> bring it back in, then having the URL of the relay service won't 
> necessarily mean that the entity doing the callback will be authorized 
> to obtain relay services on the callback call.
>
> I don't see a good way to solve that except for the relay service to 
> be authorized based on whichever end of the call desires/needs the 
> relay service.
Yes, that would be included in a recommendation for how to use a URL 
field in Additional-Data.
A region could have requirements that the relay services who are 
registered as data providers also authorize calls from the region.
But it would be equally good if you can propose another field to convey 
such an URL in. It does not seem to be the intention of Additional-Data 
to provide operational information.
>
>     Thanks,
>     Paul
>
>> /Gunnar Hellstrom
>>
>> Den 2015-10-02 kl. 23:38, skrev Ben Campbell:
>>> Oops, I just ran across this going back over old messages. I don't
>>> think I responded; apologies for that. Comments inline. I deleted
>>> sections that don't seem to need further discussion.
>>>
>>> Thanks!
>>>
>>> Ben.
>>>
>>> On 13 Sep 2015, at 18:51, Randall Gellens wrote:
>>>
>>> [...]
>>>
>>>>>>
>>>>> [Edit: I asked a question below about what happens if you 
>>>>> dereference a
>>>>> block, and find the URL points to something other than what you
>>>>> expected.
>>>>> On reflection, I should expand that  to ask how dereferencing errors
>>>>> should be handled in general.]
>>>>
>>>> In general, since this is an emergency call, we want the call to go
>>>> through even if there are errors.  It's better that the call go
>>>> through with some data blocks missing or unusable than for the call
>>>> to fail.
>>>
>>> That makes sense--is there any text that says that? If not, it might
>>> be worth adding.
>>>
>>> [...]
>>>
>>>>>> This draft implicitly assumes that the emergency calls are signaled
>>>>>> with
>>>>> SIP. I don't dispute that assumption, but I think it should it's
>>>>> worth a
>>>>> paragraph stating it explicitly.
>>>>
>>>> The Introduction says:
>>>>
>>>> This document extends the basic set of data communicated with an IP-
>>>> based emergency call, as described in [RFC6443] and [RFC6881]
>>>>
>>>> Both those RFCs are explicitly SIP-based.  However, I'd be happy to
>>>> change the text from "IP-based" to "SIP-based" if people feel it
>>>> would add clarity.  E.g., to:
>>>>
>>>> This document extends the basic set of data communicated with a SIP-
>>>> based emergency call, as described in [RFC6443] and [RFC6881]
>>>>
>>>> Or perhaps to:
>>>>
>>>> This document extends the basic set of data communicated with a
>>>> Session Initiation Protocol (SIP) based emergency call, as
>>>> described in [RFC6443] and [RFC6881]
>>>>
>>>> Let me know if you feel this change would be helpful.
>>>
>>> I think the second version would be helpful.
>>>
>>>
>>> [...]
>>>
>>>>
>>>>> -- 3:
>>>>> Is there a critical need for the bit about "certain private-use
>>>>> situations"? That seems like license for abuse, without more
>>>>> elaboration
>>>>> about "prexisting relationship" and "privacy issues addressed".
>>>>
>>>> The reason for that text is to permit re-use of the mechanisms within
>>>> private telematics calls between a vehicle and a telematics service
>>>> center (which in turn simplifies the use of the mechanisms when such
>>>> calls are emergency calls from the telematics service center to a
>>>> PSAP).  The text appears as an exception to a ban on using the
>>>> mechanisms outside of an emergency call, so without it, such use
>>>> would be violating the RFC.  I thought the text was pretty
>>>> restrictive, since it says:
>>>>
>>>> certain private-use situations where the endpoints
>>>> have a preexisting relationship and privacy issues are addressed
>>>> within the relationship or do not apply because of it
>>>>
>>>> If you still feel this text is a "license for abuse" I'd be open to
>>>> tightening it, but it seems pretty limited to me.
>>>
>>> Thanks for the explanation. I can live with what's there.
>>>
>>> [...]
>>>
>>>>
>>>>> -- 4.1.5:
>>>>> Do you intend 24x7 support to be a prerequisite to be a data
>>>>> provider?
>>>>
>>>> It's not within scope of the IETF to make this requirement, but the
>>>> expectation is that calls will be processed by mainstream providers
>>>> who have 24/7 support for PSAPs.
>>>
>>>
>>> The descriptions says "...information MUST be a URI to a 24/7 support
>>> organization..." That sounds like the IETF is making the requirement.
>>>
>>> I'd be happy to have a non-normative statement that this is expected
>>> by the community to be a 24/7 support organization, but the MUST
>>> doesn't seem to fit.
>>>
>>>>> Also, it seems like there are vcard fields that are not useful to 
>>>>> this
>>>>> purpose and might still have privacy implications. Do we really need
>>>>> people
>>>>> to send everything?
>>>>
>>>> The text does not mandate which fields to send.  It encourages
>>>> sending all fields because there are some unusual circumstances where
>>>> a seemingly irrelevant field might be useful to a call-taker (e.g.,
>>>> anniversary might conceivably be useful with a suicidal caller) and
>>>> suggests a minimum set.
>>>
>>> I think there needs to be a balance between "conceivably useful" and
>>> "likely to be privacy-sensitive". But IIRC, this discussion is
>>> happening separately, isn't it?
>>>
>>> [...]
>>>
>>>>> -- 5, list item 1: "The "purpose" parameter also indicates the 
>>>>> kind of
>>>>> data
>>>>> (by its MIME subtype) that is available at the URI"
>>>>> What happens if the URL points to something other than the indicated
>>>>> thing?
>>>>
>>>> Then the PSAP doesn't get what it expects, and likely will ignore the
>>>> retrieved data, and the call will be processed as if the block wasn't
>>>> provided at all.  The PSAP will likely file a discrepancy report with
>>>> the provider, which is done out of band.  If the information in the
>>>> block is potentially urgent for handling the call, the call-taker or
>>>> a supervisor might contact the provider's PSAP support line.
>>>
>>> That's probably fine, although I wonder if there might be room for
>>> guidance that the PSAP shouldn't just load arbitrary data if it gets
>>> something unexpected.
>>>
>>> [...]
>>>>> -- 8:
>>>>> It might be worth discussing the potential harm done by a malicious
>>>>> proxy
>>>>> modifying a data element, or a compromised data source return 
>>>>> incorrect
>>>>> information when dereferencing a URL.
>>>>
>>>> If an element in the call path is compromised and under the control
>>>> of an attacker, it can wreak havoc, but this is generally true for
>>>> any system that isn't using end-to-end protection, and even then is
>>>> true if an endpoint is compromised.  I'm not sure what would be
>>>> helpful to say about this in the Security Considerations section.
>>>
>>> I'm not going to push the point--but keep in mind the "compromised
>>> data source" case involves something _not_ in the call path.
>>>
>>> [...]
>>>
>>> _______________________________________________
>>> Ecrit mailing list
>>> Ecrit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ecrit
>>
>> _______________________________________________
>> Ecrit mailing list
>> Ecrit@ietf.org
>> https://www.ietf.org/mailman/listinfo/ecrit
>>
>
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

v2.23.0 | Report a Bug | By Email