Re: [Geopriv] retransmission-allowed is harmful
Alissa Cooper <acooper@cdt.org> Tue, 17 March 2009 01:48 UTC
Return-Path: <acooper@cdt.org>
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 478593A68BD for <geopriv@core3.amsl.com>; Mon, 16 Mar 2009 18:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1zYpj1DHiWl for <geopriv@core3.amsl.com>; Mon, 16 Mar 2009 18:48:12 -0700 (PDT)
Received: from www.cdt.org (www.cdt.org [72.3.253.41]) by core3.amsl.com (Postfix) with ESMTP id 6995D3A6804 for <geopriv@ietf.org>; Mon, 16 Mar 2009 18:48:08 -0700 (PDT)
Received: from [192.168.1.103] (c-76-26-159-134.hsd1.dc.comcast.net [76.26.159.134]) (authenticated bits=0) by www.cdt.org (8.12.11.20060308/8.12.11) with ESMTP id n2H1mmWw020911; Mon, 16 Mar 2009 21:48:49 -0400
Message-Id: <E682B911-1E51-4765-8D73-E9AFFE4A76BA@cdt.org>
From: Alissa Cooper <acooper@cdt.org>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
In-Reply-To: <E51D5B15BFDEFD448F90BDD17D41CFF10582737B@AHQEX1.andrew.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 16 Mar 2009 21:48:48 -0400
References: <E51D5B15BFDEFD448F90BDD17D41CFF105826B13@AHQEX1.andrew.com> <093f01c9a2e1$88b340c0$0201a8c0@nsnintra.net> <E51D5B15BFDEFD448F90BDD17D41CFF105826E9A@AHQEX1.andrew.com> <034501c9a408$b7d9aec0$0201a8c0@nsnintra.net> <E51D5B15BFDEFD448F90BDD17D41CFF10582737B@AHQEX1.andrew.com>
X-Mailer: Apple Mail (2.929.2)
Cc: GEOPRIV <geopriv@ietf.org>
Subject: Re: [Geopriv] retransmission-allowed is harmful
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/geopriv>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2009 01:48:13 -0000
In the Web context, I actually think there's a lot of value in being able to give someone location information with instructions on how it may be shared. The example in section 2.1 in lo-sec gets at this a bit, as do your run-of-the-mill social network privacy settings (allowing, for example, sharing with "everyone," "friends of friends," "friends," or "no one" for a particular piece of data). If this isn't such a standard concept yet, I think part of the motivation behind the Geopriv privacy rules was the thought that it *should* be. As to the semantic of retransmission-allowed, I think my understanding is closer to James' than Martin's, namely: If I set retransmission-allowed = false, then there are two options: (1) the information is not to be shared (2) there is an authorization policy that governs redistribution of this information If I set retransmission-allowed = true, then the information is totally public and can be shared with the world. I think this makes more sense since the permissions granted by the authorization policy are supposed to be additive. Plus, the danger of not conveying retransmission-allowed is that you wind up in the same situation we have now for most sensitive data: the recipient receives it, it has no policy information attached whatsoever, and the recipient does what it likes with the data. Even if all of us knew that the absence of a policy meant that retransmission was prohibited, we would likely be the minority. Alissa On Mar 15, 2009, at 7:35 PM, Thomson, Martin wrote: > a) no need to move them, the ruleset-reference is actually pretty > good. Reading lo-sec, I'm thinking that the function this provides > (authorizing a rule maker) is useful. However, this assumes that > the use case is valid...not something I've really thought about all > that much - how often does one pass information to someone then give > them instructions on how they share that - usually, it's enough to > indicate that the information is secret rather than trusting someone > else to manage dissemination. > > b) There's no need to move policy around with it - this is really > just a rehash of the discussion on whether we need to indicate that > the location URI follows possession model or not. > >> -----Original Message----- >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] >> Sent: Saturday, 14 March 2009 5:23 AM >> To: Thomson, Martin; 'GEOPRIV' >> Subject: RE: [Geopriv] retransmission-allowed is harmful >> >> Two points: >> >> A) I guess nobody really thought sufficiently deep enough about >> conveying >> the policies in the style of http://www.ietf.org/rfc/rfc4745.txt / >> http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-20.txt >> together with location information. I suspect that folks say it >> more as >> a >> vehicle for access control and hence it wouldn't travel around. >> >> B) In a location URI there is no policy that travels with it (as it >> is >> currently defined). One could, of course, define a URI in the style >> of >> http://tools.ietf.org/html/rfc4467 and attach meta data. We discussed >> this >> several times already but, as far as I remember, never made a >> decision. >> It >> wouldn't really change anything with the location URI concept as such >> but >> the entity that looks at it would have a clue what the URI actually >> is. >> This >> would then go into the >> http://tools.ietf.org/id/draft-winterbottom-geopriv-held-context-03.txt >> document. >> >> Ciao >> Hannes >> >> >>> I also had other thoughts overnight. Retransmission-allowed >>> (or something to that effect) is actually helpful on location >>> URIs. I've made the point previously, but for what it's worth: >>> >>> Any indication would need to appear in the conveyance protocol >>> associated with the location URI. A default of "no" needs to >>> be assumed. A value of "yes" indicates that the rule maker is >>> confident that the LS serving the location URI is able to >>> effectively enforce rules. Without such an indication, "no" >>> is the only permissible interpretation an LR can make. >>> >>> Ta, >>> Martin >>> >>>> -----Original Message----- >>>> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] >>>> Sent: Thursday, 12 March 2009 6:10 PM >>>> To: Thomson, Martin; 'GEOPRIV' >>>> Subject: RE: [Geopriv] retransmission-allowed is harmful >>>> >>>> In previous discussions I mentioned that the basic privacy fields >>>> do >>>> not provide enough semantic, see for example >>>> http://www.ietf.org/mail-archive/web/geopriv/current/msg06389.html >>>> (with >>>> regard to the question of who the recipient actually is). >>>> >>>> You point out another aspect that is not discussed in RFC >>> 4119, namely >>>> what is the relationship between retransmission-allowed and the >>>> policies referenced by the ruleset-reference element. RFC 4119 also >>>> does not saw what the meaning is if the ruleset-reference is empty. >>>> >>>> Ciao >>>> Hannes >>>> >>>>> -----Original Message----- >>>>> From: geopriv-bounces@ietf.org >>>>> [mailto:geopriv-bounces@ietf.org] On Behalf Of Thomson, Martin >>>>> Sent: 12 March, 2009 08:13 >>>>> To: GEOPRIV >>>>> Subject: [Geopriv] retransmission-allowed is harmful >>>>> >>>>> I just finished reviewing draft-barnes-geopriv-lo-sec. I wont get >>>>> those hours back, but it wasn't all in vain. There's stuff >>> in there >>>>> I'd recommend to all members of the group. >>>>> >>>>> A thought arises: >>>>> >>>>> If I set retransmission-allowed = false, all I'm saying is the >>>>> default. We knew that already, no gain to be had unless a value >>>>> of >>>>> true turns out to be useful. >>>>> >>>>> If I set retransmission-allowed = true, then there are two >>>>> options: >>>>> >>>>> (1) the information is totally public - share with the world >>>>> >>>>> (2) there is an authorization policy that governs >>> redistribution of >>>>> this information >>>>> >>>>> But that's the thing. Unless you have a policy, you should be >>>>> assuming the empty policy - and the empty policy prevents >>>>> redistribution. >>>>> >>>>> Therefore, you need a policy before you can redistribute location >>>>> information. Therefore, the authorization necessary to >>> distribute is >>>>> signified by the presence of policy. Absence of policy indicates >>>>> that you should keep the information to yourself. Therefore, >>>>> retransmission-allowed is pointless. >>>>> Therefore, it's harmful because recipients might assume (1). >>>>> >>>>> The prosecution rests ma'am. >>>>> >>>>> Cheers, >>>>> Martin >>>>> >>>>> p.s. "is harmful" in the subject was chosen to be inflammatory, if >>>>> you are reading this, I've been successful. >>>>> Thank you for your time. >>>>> >>>>> >>>>> --------------------------------------------------------------- >>>>> --------------------------------- >>>>> This message is for the designated recipient only and may contain >>>>> privileged, proprietary, or otherwise private information. >>>>> If you have received it in error, please notify the sender >>>>> immediately and delete the original. Any unauthorized use of this >>>>> email is prohibited. >>>>> --------------------------------------------------------------- >>>>> --------------------------------- >>>>> [mf2] >>>>> _______________________________________________ >>>>> Geopriv mailing list >>>>> Geopriv@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/geopriv >>>>> >>>> >>> >>> --------------------------------------------------------------- >>> --------------------------------- >>> This message is for the designated recipient only and may >>> contain privileged, proprietary, or otherwise private information. >>> If you have received it in error, please notify the sender >>> immediately and delete the original. Any unauthorized use of >>> this email is prohibited. >>> --------------------------------------------------------------- >>> --------------------------------- >>> [mf2] >>> >> > > ------------------------------------------------------------------------------------------------ > This message is for the designated recipient only and may > contain privileged, proprietary, or otherwise private information. > If you have received it in error, please notify the sender > immediately and delete the original. Any unauthorized use of > this email is prohibited. > ------------------------------------------------------------------------------------------------ > [mf2] > _______________________________________________ > Geopriv mailing list > Geopriv@ietf.org > https://www.ietf.org/mailman/listinfo/geopriv
- [Geopriv] retransmission-allowed is harmful Thomson, Martin
- Re: [Geopriv] retransmission-allowed is harmful Hannes Tschofenig
- Re: [Geopriv] retransmission-allowed is harmful James M. Polk
- Re: [Geopriv] retransmission-allowed is harmful Thomson, Martin
- Re: [Geopriv] retransmission-allowed is harmful Hannes Tschofenig
- Re: [Geopriv] retransmission-allowed is harmful Thomson, Martin
- Re: [Geopriv] retransmission-allowed is harmful Alissa Cooper