IETF Logo Mail Archive

[Geopriv] Comment for draft-thomson-geopriv-location-dependability-00.txt

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Sun, 22 July 2007 21:39 UTC

Return-path: <geopriv-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICj98-000821-FE; Sun, 22 Jul 2007 17:39:22 -0400
Received: from geopriv by megatron.ietf.org with local (Exim 4.43) id 1ICj96-00081v-JU for geopriv-confirm+ok@megatron.ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ICj96-00081n-A3 for geopriv@ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ICj94-0005Wq-OD for geopriv@ietf.org; Sun, 22 Jul 2007 17:39:20 -0400
Received: (qmail invoked by alias); 22 Jul 2007 21:39:16 -0000
Received: from dhcp-10fb.ietf69.org (EHLO [130.129.16.251]) [130.129.16.251] by mail.gmx.net (mp046) with SMTP; 22 Jul 2007 23:39:16 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/yPjssMxvyuq0dPi6d/rXWHzH3zkP3nTqYty0JSE r9Mnu+DuvoSlEh
Message-ID: <46A3CE7F.5080400@gmx.net>
Date: Sun, 22 Jul 2007 23:39:11 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.5 (Windows/20070716)
MIME-Version: 1.0
To: GEOPRIV <geopriv@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Subject: [Geopriv] Comment for draft-thomson-geopriv-location-dependability-00.txt
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Errors-To: geopriv-bounces@ietf.org

I have read this interesting draft and I have a few high-level comments.

Section 2: Goals

FYI, the reference to I-D.ietf-geopriv-l7-lcp-ps needs to be updated to 
[I-D.barnes-geopriv-lo-sec] since we moved the terms and the security 
related context.

Section 2.1: Non-Goals

This section has not helped me to understand what you do not want todo.

Section 5.1: 'entity' Attribute

"
 If the LIS is able to authenticate the Target, and the Target grants
   permission to the LIS to use this field, the LIS can include this
   information in the "entity" field.
"

Does HELD provide such a capability to authenticate the end host?

"
  Presentity identifiers can be reused for the same Target, provided
   that the LIS is able to verify that the Target is the same.  This
   depends on the means by which location is acquired from the LIS; if
   session data that links subsequent requests exists, the LIS MAY reuse
   the presentity identifier.  Note that the the Target can initiate a
   new session to ensure that a new identifier is generated and thereby
   ensure that their previous and current positions cannot be correlated
   using the presentity identifier.
"

Is it correct to assume that the "session" concept in HELD refers to the 
http://tools.ietf.org/wg/geopriv/draft-winterbottom-geopriv-held-context-00.txt
?

Whatever mechanism you use I believe that you have to allow the end host 
to indicate that it does not want to utilize the capability of 
correlating identifiers. 

"
  This does not prevent the use of a "real" presentity in this field.
   If the LIS is able to authenticate the Target, and the Target grants
   permission to the LIS to use this field, the LIS can include this
   information in the "entity" field.  These conditions are hard to
   meet, which leads to two alternative means of including Target
   identity, described in the following sections.
"

This seems to be focused on HELD, right? If that's the case then there 
is no way for the LIS to authenticate my real presence identity. How 
does the Target grant a permission to the LIS to use a "real" identity?


"
  To achieve this linkage between location object and the Target's
   identity, the Target sends its identity to the LIS.  The LIS includes
   this identifier in the signed location object, effectively linking
   the identity to the location information.
"
"
   The LIS is not expected to authenticate this identity information,
   although it MAY do so.  This means that an attacker within the
   network could request a signed location object with any identity they
   choose.  However, the location object could only be used by an entity
   that can prove that they have the chosen identity, which limits the
   number of potential attackers.
"

I suspect that these paragraphs are not really applicable given that 
Section 5.3 says that you provide the hash of the user identity rather 
than the plaintext identity itself.

I like Section 5.3. It obviously requires a deep application knowledge 
since you need to put the correct address in there that will be later 
seen and authenticated by the Location Recipient.
The problem is that the hash of the identity is always the same (unless 
you change your identity). That obviously provides a good opportunity 
for linkability.

I am not sure what you want to say with Section 5.4. "Authenticated 
Identity".
The same is true for Section 5.5 "Multiple Identity Attack".

Section 6:

"
 This element is used in
   addition to a randomized "entity" attribute for several reasons: a
   randomized "entity" attribute can be used to detect replays; the
   identity is not necessarily authenticated; and the content can be
   other than a presentity identifier.
"
I would put the hashed identifier into the entity field but add a new 
"replay protection" element to store a randomized value.

Section 6.1: I am not sure to what this info refers.

Section 6.3: I think that this is problematic. Does the client has a 
chance to control the inclusion of this attribute? What identities are 
actually authenticated?

I cannot speak too much about the XPATH usage.

I believe there is a chance to shorten the draft considerably and make a 
couple of things more precise.

Ciao
Hannes



_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv

v2.23.0 | Report a Bug | By Email