Re: [Geopriv] Security Considerations:draft-thomson-geopriv-held-measurements-02.txt
Eric Rescorla <ekr@networkresonance.com> Fri, 01 August 2008 03:00 UTC
Return-Path: <geopriv-bounces@ietf.org>
X-Original-To: geopriv-archive@megatron.ietf.org
Delivered-To: ietfarch-geopriv-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 35E6F28C390; Thu, 31 Jul 2008 20:00:47 -0700 (PDT)
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24E5628C390 for <geopriv@core3.amsl.com>; Thu, 31 Jul 2008 20:00:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.468
X-Spam-Level:
X-Spam-Status: No, score=-0.468 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiKc8xb37UKu for <geopriv@core3.amsl.com>; Thu, 31 Jul 2008 20:00:45 -0700 (PDT)
Received: from kilo.rtfm.com (unknown [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 51FA128C38C for <geopriv@ietf.org>; Thu, 31 Jul 2008 20:00:45 -0700 (PDT)
Received: from kilo-2.local (localhost [127.0.0.1]) by kilo.rtfm.com (Postfix) with ESMTP id B2624516084; Thu, 31 Jul 2008 20:00:18 -0700 (PDT)
Date: Thu, 31 Jul 2008 20:00:17 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
In-Reply-To: <E51D5B15BFDEFD448F90BDD17D41CFF104A2ED39@AHQEX1.andrew.com>
References: <20080731093059.7EC9C502E93@kilo.rtfm.com> <E51D5B15BFDEFD448F90BDD17D41CFF104A2ED39@AHQEX1.andrew.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080801030018.B2624516084@kilo.rtfm.com>
Cc: geopriv@ietf.org
Subject: Re: [Geopriv] Security Considerations:draft-thomson-geopriv-held-measurements-02.txt
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/geopriv>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: geopriv-bounces@ietf.org
Errors-To: geopriv-bounces@ietf.org
At Thu, 31 Jul 2008 09:02:30 -0500, Thomson, Martin wrote: > For the purposes of outright lying, some elements of information can > be directly verified by the LIS. For these pieces of information, > the device provides value only by reducing the overall effort > expended by the LIS in generating location information. The LIS is > able to authenticate this information by acquiring the information > using its own means. In many cases checking that the information is > correct is far less costly than generating it in the first place. > This is certainly true for the scenarios my company has been looking > at in the past 18 months. Even if this is not the case, the LIS can > check on random requests and the check can be made parallel to the > continuing processing of the request. Hmm... So, say the check comes up mismatched. What then? Random checks only works well if it's coupled with some sort of punishment... > The other case is obviously far more interesting. There are parts > of the measurement information that cannot be validated by the LIS > are quite clearly open to lying. However, you need to look at the > goals of this draft. The point is to make available, to the LIS, > information that can be used to improve the accuracy of the > information that it provides. We have to assume that the LIS is > able to determine the location of the device using some means, > however coarse that is. The impact of a lie on the final result > that is produced can be constrained. If for instance a device lies > about its RTT measurements for WiMAX in such a way that the LIS is > still able to use them, the result that is produced can be no > further from the real location of the device than the uncertainty on > the location information that the LIS is able to determine on its > own. > > With this view in mind, it's easier to understand the impact of the > lie. The LIS is able to take the spoofed measurement information > and either check it entirely, or it is able to constrain the impact > of the lie. > > We have product that implements these mechanisms already in the > cellular wireless space. Our SMLC, SAS and SUPL servers do this for > A-GPS. We use the cell-based location to check the A-GPS location > information. If the A-GPS position differs excessively from the > cell-based one we are able to reject (or just log) the result. Well, I see your point here, but if the relying party cares about positions within the margin of error, then lying becomes serious. And of course, this doesn't address the privacy issues... -Ekr _______________________________________________ Geopriv mailing list Geopriv@ietf.org https://www.ietf.org/mailman/listinfo/geopriv
- [Geopriv] Security Considerations: draft-thomson-… Eric Rescorla
- Re: [Geopriv] Security Considerations:draft-thoms… Thomson, Martin
- Re: [Geopriv] Security Considerations:draft-thoms… Carl Reed
- Re: [Geopriv] Security Considerations:draft-thoms… Eric Rescorla
- Re: [Geopriv] Security Considerations:draft-thoms… Thomson, Martin