[Ecrit] Comments to draft-barnes-ecrit-auth-00.txt

[Hannes Tschofenig <Hannes.Tschofenig@gmx.net>]

Hi Richard,

thanks for writing this document.

I have a few comments:


Section 2.1: Location and Service URN

This is a very good summary of our currently assumed model.
I am, however, not sure about the following statement:

"
An important restriction to the applicability of this solution is that 
it requires the asserter possess a location value that can serve as part 
of an authenticator. For instance, if the authenticator is to be carried 
an INVITE message, the UAC must have access to its own location (with 
some degree of precision). Since there are situations where UACs may not 
have access to their own location (in access networks prevent this), 
this solution must be embedded in SIP in such a way that it can be 
inserted by a UAC, a UAS, or a proxy. In addition, if the Geolocation 
header is used to convey the location used here, then the SIP embedding 
must take into account the usage restrictions in [location-conveyance].
"

The UAC does not need to have access to precise location information. 
The considerations for "location hiding" apply here.

I am not sure what you mean with the sentences in the later part of the 
paragraph


Section 2.2: Asserter Identity

This model assumes that the PSAP operators network asserts that it has 
received an emergency call. It furthermore assumes that the VSP is able 
to verify which identities are indeed PSAP operators. Hence, some white 
lists of PSAP operators need to made available.

You want to use the Connected Identity for this purpose.

Please let me know whether I correctly understood this solution.



Section 2.3 Direct assertion

 From the description I got the impression that this is the plain SIP 
Identity. I cannot quite see how this prevents the attack. How does a 
VSP verify whether this is indeed an emergency call?


Another solution would be to sign a LoST mapping response (with a 
service boundary). The SIP UA would then add the signed LoST mapping  
into the SIP message together with the location information it used for 
retrieving the mapping. The VSP would verify that
a) the signature of the mapping is correct.
b) compare the identity of the mapping server with a a whitelist of 
valid mapping servers
c) verify whether the location information is contained in the service 
boundary.

The problem is that this is again complex, i.e., by no means better than 
the current solution we use as a working assumption.

Ciao
Hannes


_______________________________________________
Ecrit mailing list
Ecrit@ietf.org
https://www1.ietf.org/mailman/listinfo/ecrit