Re: [sipcore] Understanding Privacy: history invoked by UAS

Paul Kyzivat <pkyzivat@cisco.com> Wed, 10 November 2010 09:29 UTC

Return-Path: <pkyzivat@cisco.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A40FC3A69AF for <sipcore@core3.amsl.com>; Wed, 10 Nov 2010 01:29:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.182
X-Spam-Level:
X-Spam-Status: No, score=-110.182 tagged_above=-999 required=5 tests=[AWL=-0.183, BAYES_00=-2.599, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZ1l6zAcJcdM for <sipcore@core3.amsl.com>; Wed, 10 Nov 2010 01:29:54 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 7628F3A6897 for <sipcore@ietf.org>; Wed, 10 Nov 2010 01:29:54 -0800 (PST)
Authentication-Results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAC712UxAaMHG/2dsb2JhbACiNHGgXpsTgnKCWASEWIV/gww
X-IronPort-AV: E=Sophos;i="4.59,177,1288569600"; d="scan'208";a="246582045"
Received: from syd-core-1.cisco.com ([64.104.193.198]) by sj-iport-3.cisco.com with ESMTP; 10 Nov 2010 09:30:05 +0000
Received: from [10.75.234.201] (hkidc-vpn-client-234-201.cisco.com [10.75.234.201]) by syd-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id oAA9U1nb026127 for <sipcore@ietf.org>; Wed, 10 Nov 2010 09:30:03 GMT
Message-ID: <4CDA6617.5010801@cisco.com>
Date: Wed, 10 Nov 2010 17:29:59 +0800
From: Paul Kyzivat <pkyzivat@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: sipcore@ietf.org
References: <A444A0F8084434499206E78C106220CA02357ADA69@MCHP058A.global-ad.net> <A78B9020-EB78-477E-8B2A-22F8F27B1032@ntt-at.com> <A444A0F8084434499206E78C106220CA023587F123@MCHP058A.global-ad.net> <1A3940A5-123E-4FF1-8B94-76B6C5B49596@ntt-at.com>
In-Reply-To: <1A3940A5-123E-4FF1-8B94-76B6C5B49596@ntt-at.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [sipcore] Understanding Privacy: history invoked by UAS
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 09:29:55 -0000

Inline

On 11/10/2010 11:50 AM, Shida Schubert wrote:
>
>   I think RFC4244 was quite vague about how privacy is
> requested and due to that, both privacy header outside
> H-I header or part of hi-entry are used without any clear
> distinction.
>
>   Thus for backward compatibility, I don't think we can
> eliminate the use of Privacy:history, I think we can definitely
> clarify the use of them by saying proxy SHOULD or MUST
> use privacy=header and UAC uses Privacy:history.
>
>   I do think we should clarify the procedure of how history-info
> is anonymized, may be something along the line as follows.

What you outline here is a great improvement.

> 1. Setting privacy indication.
>
>   UAC sets privacy by setting privacy:header or privacy:history
>   Proxy/UAS sets privacy by setting privacy=history in hi-entry
>
> 2. Applying privacy to request.
>
>   Privacy service at the boundary of domain checks if privacy:header
> or privacy:history exists.
>
>   If privacy:history or privacy:header exists then it anonymize all the
> hi-entry from its responsible domain by changing the hi-target-to-uri
> to URI with anonymous.invalid.
>
>   If the hi-entry that is a target of anonymization and has privacy=history,
> it will remove the privacy=history after anonymizing the hi-entry.
>
>   If the hi-entry is already anonymized (URI with anonymous.invalid) it
> will leave the entry as is.
>
>   After anonymizing all the hi-entry from its responsible domain it will
> remove the priv-value of "history" from Privacy header (real header).
>
>   If there are no priv-value remaining in the Privacy header then it will
> remove the Privacy header itself following the procedure in RFC3323.
>
>   If there is no priv-value of "history" or "header", privacy service
> looks through hi-entries and see if there are URI from its domain
> with privacy=history.
>
>   For each hi-entry with privacy=history, privacy service will anonymize
> the hi-target-to-uri and remove the privacy=history after anonymizing
> the hi-entry.
>
> 3. Privacy:none
>
>   With regards to privacy:none, it's tad tricky because
> as Ian said, how it's honored depends on the regulation etc.

ISTM that privacy:none is pretty explicit about how it is to be 
implemented. Either you comply or you don't. If you feel that allowing 
the request to proceed while complying with privacy:none is contrary to 
your policy, then you have the option of failing the call, and just be 
up front with your users that you don't permit them to use privacy:none. 
Then they can decide if they still want to do business with you.

	Thanks,
	Paul

>   Regards
>    Shida
>
> On Nov 10, 2010, at 10:30 AM, Elwell, John wrote:
>
>> In which case we don't need Privacy: history in the response, since it is only a partial solution?
>>
>> John
>>
>>> -----Original Message-----
>>> From: Shida Schubert [mailto:shida@ntt-at.com]
>>> Sent: 09 November 2010 06:24
>>> To: Elwell, John
>>> Cc: sipcore@ietf.org
>>> Subject: Re: [sipcore] Understanding Privacy: history invoked by UAS
>>>
>>>
>>> Hi John;
>>>
>>> In practice, if C cares about its privacy, there should be
>>> a priori arrangement with the service provider or
>>> configuration in proxy to withhold its identity.
>>>
>>> This will allow the proxy sending the 4xx which sets the hi-entry
>>> to ensure privacy is applied by setting escaped privacy header
>>> or Privacy:header.
>>>
>>> Regards
>>>   Shida
>>>
>>> On Nov 9, 2010, at 11:32 AM, Elwell, John wrote:
>>>
>>>> Suppose a request from A is targeted initially at B, this
>>> is mapped to C, and then to registered contact D. The UAS (D)
>>> puts Privacy: history in the response, and therefore prevents
>>> A learning about C and D. Fine.
>>>>
>>>> Now, supposing D is not registered at the time, i.e., there
>>> is no registered contact for C. This results in a 4xx
>>> response to A. How do we ensure that the identity of C is not
>>> disclosed to A, in line with what is achieved when D is registered?
>>>>
>>>> John
>>>>
>>>> _______________________________________________
>>>> sipcore mailing list
>>>> sipcore@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>
>>>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>