[Geopriv] Comment for draft-thomson-geopriv-location-dependability-00.txt
Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Sun, 22 July 2007 21:39 UTC
Return-path: <geopriv-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICj98-000821-FE; Sun, 22 Jul 2007 17:39:22 -0400
Received: from geopriv by megatron.ietf.org with local (Exim 4.43) id 1ICj96-00081v-JU for geopriv-confirm+ok@megatron.ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICj96-00081n-A3 for geopriv@ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ICj94-0005Wq-OD for geopriv@ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: (qmail invoked by alias); 22 Jul 2007 21:39:16 -0000
Received: from dhcp-10fb.ietf69.org (EHLO [130.129.16.251]) [130.129.16.251] by mail.gmx.net (mp046) with SMTP; 22 Jul 2007 23:39:16 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/yPjssMxvyuq0dPi6d/rXWHzH3zkP3nTqYty0JSE r9Mnu+DuvoSlEh
Message-ID: <46A3CE7F.5080400@gmx.net>
Date: Sun, 22 Jul 2007 23:39:11 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.5 (Windows/20070716)
MIME-Version: 1.0
To: GEOPRIV <geopriv@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Subject: [Geopriv] Comment for draft-thomson-geopriv-location-dependability-00.txt
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Errors-To: geopriv-bounces@ietf.org
I have read this interesting draft and I have a few high-level comments. Section 2: Goals FYI, the reference to I-D.ietf-geopriv-l7-lcp-ps needs to be updated to [I-D.barnes-geopriv-lo-sec] since we moved the terms and the security related context. Section 2.1: Non-Goals This section has not helped me to understand what you do not want todo. Section 5.1: 'entity' Attribute " If the LIS is able to authenticate the Target, and the Target grants permission to the LIS to use this field, the LIS can include this information in the "entity" field. " Does HELD provide such a capability to authenticate the end host? " Presentity identifiers can be reused for the same Target, provided that the LIS is able to verify that the Target is the same. This depends on the means by which location is acquired from the LIS; if session data that links subsequent requests exists, the LIS MAY reuse the presentity identifier. Note that the the Target can initiate a new session to ensure that a new identifier is generated and thereby ensure that their previous and current positions cannot be correlated using the presentity identifier. " Is it correct to assume that the "session" concept in HELD refers to the http://tools.ietf.org/wg/geopriv/draft-winterbottom-geopriv-held-context-00.txt ? Whatever mechanism you use I believe that you have to allow the end host to indicate that it does not want to utilize the capability of correlating identifiers. " This does not prevent the use of a "real" presentity in this field. If the LIS is able to authenticate the Target, and the Target grants permission to the LIS to use this field, the LIS can include this information in the "entity" field. These conditions are hard to meet, which leads to two alternative means of including Target identity, described in the following sections. " This seems to be focused on HELD, right? If that's the case then there is no way for the LIS to authenticate my real presence identity. How does the Target grant a permission to the LIS to use a "real" identity? " To achieve this linkage between location object and the Target's identity, the Target sends its identity to the LIS. The LIS includes this identifier in the signed location object, effectively linking the identity to the location information. " " The LIS is not expected to authenticate this identity information, although it MAY do so. This means that an attacker within the network could request a signed location object with any identity they choose. However, the location object could only be used by an entity that can prove that they have the chosen identity, which limits the number of potential attackers. " I suspect that these paragraphs are not really applicable given that Section 5.3 says that you provide the hash of the user identity rather than the plaintext identity itself. I like Section 5.3. It obviously requires a deep application knowledge since you need to put the correct address in there that will be later seen and authenticated by the Location Recipient. The problem is that the hash of the identity is always the same (unless you change your identity). That obviously provides a good opportunity for linkability. I am not sure what you want to say with Section 5.4. "Authenticated Identity". The same is true for Section 5.5 "Multiple Identity Attack". Section 6: " This element is used in addition to a randomized "entity" attribute for several reasons: a randomized "entity" attribute can be used to detect replays; the identity is not necessarily authenticated; and the content can be other than a presentity identifier. " I would put the hashed identifier into the entity field but add a new "replay protection" element to store a randomized value. Section 6.1: I am not sure to what this info refers. Section 6.3: I think that this is problematic. Does the client has a chance to control the inclusion of this attribute? What identities are actually authenticated? I cannot speak too much about the XPATH usage. I believe there is a chance to shorten the draft considerably and make a couple of things more precise. Ciao Hannes _______________________________________________ Geopriv mailing list Geopriv@ietf.org https://www1.ietf.org/mailman/listinfo/geopriv
- [Geopriv] Comment for draft-thomson-geopriv-locat… Hannes Tschofenig