Re: [sipcore] Understanding Privacy: history invoked by UAS

Shida Schubert <shida@ntt-at.com> Wed, 10 November 2010 03:50 UTC

Return-Path: <shida@ntt-at.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8CFC63A67F3 for <sipcore@core3.amsl.com>; Tue, 9 Nov 2010 19:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.673
X-Spam-Level:
X-Spam-Status: No, score=-101.673 tagged_above=-999 required=5 tests=[AWL=-0.008, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_74=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWqab0xAsf0J for <sipcore@core3.amsl.com>; Tue, 9 Nov 2010 19:49:59 -0800 (PST)
Received: from gateway12.websitewelcome.com (gateway12.websitewelcome.com [69.93.35.2]) by core3.amsl.com (Postfix) with SMTP id 8CB163A6407 for <sipcore@ietf.org>; Tue, 9 Nov 2010 19:49:59 -0800 (PST)
Received: (qmail 18702 invoked from network); 10 Nov 2010 03:50:06 -0000
Received: from gator465.hostgator.com (69.56.174.130) by gateway12.websitewelcome.com with SMTP; 10 Nov 2010 03:50:06 -0000
Received: from [130.129.128.223] (port=58725 helo=dhcp-80df.meeting.ietf.org) by gator465.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <shida@ntt-at.com>) id 1PG1hN-0006DY-TC; Tue, 09 Nov 2010 21:50:20 -0600
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: Shida Schubert <shida@ntt-at.com>
In-Reply-To: <A444A0F8084434499206E78C106220CA023587F123@MCHP058A.global-ad.net>
Date: Wed, 10 Nov 2010 12:50:16 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <1A3940A5-123E-4FF1-8B94-76B6C5B49596@ntt-at.com>
References: <A444A0F8084434499206E78C106220CA02357ADA69@MCHP058A.global-ad.net> <A78B9020-EB78-477E-8B2A-22F8F27B1032@ntt-at.com> <A444A0F8084434499206E78C106220CA023587F123@MCHP058A.global-ad.net>
To: "Elwell, John" <john.elwell@siemens-enterprise.com>
X-Mailer: Apple Mail (2.1081)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator465.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ntt-at.com
Cc: "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] Understanding Privacy: history invoked by UAS
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 03:50:00 -0000

 I think RFC4244 was quite vague about how privacy is 
requested and due to that, both privacy header outside 
H-I header or part of hi-entry are used without any clear 
distinction.

 Thus for backward compatibility, I don't think we can 
eliminate the use of Privacy:history, I think we can definitely 
clarify the use of them by saying proxy SHOULD or MUST 
use privacy=header and UAC uses Privacy:history. 

 I do think we should clarify the procedure of how history-info 
is anonymized, may be something along the line as follows.

1. Setting privacy indication.

 UAC sets privacy by setting privacy:header or privacy:history
 Proxy/UAS sets privacy by setting privacy=history in hi-entry

2. Applying privacy to request.

 Privacy service at the boundary of domain checks if privacy:header 
or privacy:history exists.

 If privacy:history or privacy:header exists then it anonymize all the 
hi-entry from its responsible domain by changing the hi-target-to-uri 
to URI with anonymous.invalid. 

 If the hi-entry that is a target of anonymization and has privacy=history, 
it will remove the privacy=history after anonymizing the hi-entry.

 If the hi-entry is already anonymized (URI with anonymous.invalid) it 
will leave the entry as is. 

 After anonymizing all the hi-entry from its responsible domain it will 
remove the priv-value of "history" from Privacy header (real header).

 If there are no priv-value remaining in the Privacy header then it will 
remove the Privacy header itself following the procedure in RFC3323.

 If there is no priv-value of "history" or "header", privacy service 
looks through hi-entries and see if there are URI from its domain 
with privacy=history.

 For each hi-entry with privacy=history, privacy service will anonymize 
the hi-target-to-uri and remove the privacy=history after anonymizing 
the hi-entry. 

3. Privacy:none

 With regards to privacy:none, it's tad tricky because 
as Ian said, how it's honored depends on the regulation etc. 

 Regards
  Shida

On Nov 10, 2010, at 10:30 AM, Elwell, John wrote:

> In which case we don't need Privacy: history in the response, since it is only a partial solution?
> 
> John 
> 
>> -----Original Message-----
>> From: Shida Schubert [mailto:shida@ntt-at.com] 
>> Sent: 09 November 2010 06:24
>> To: Elwell, John
>> Cc: sipcore@ietf.org
>> Subject: Re: [sipcore] Understanding Privacy: history invoked by UAS
>> 
>> 
>> Hi John;
>> 
>> In practice, if C cares about its privacy, there should be 
>> a priori arrangement with the service provider or 
>> configuration in proxy to withhold its identity.
>> 
>> This will allow the proxy sending the 4xx which sets the hi-entry 
>> to ensure privacy is applied by setting escaped privacy header 
>> or Privacy:header. 
>> 
>> Regards
>>  Shida 
>> 
>> On Nov 9, 2010, at 11:32 AM, Elwell, John wrote:
>> 
>>> Suppose a request from A is targeted initially at B, this 
>> is mapped to C, and then to registered contact D. The UAS (D) 
>> puts Privacy: history in the response, and therefore prevents 
>> A learning about C and D. Fine.
>>> 
>>> Now, supposing D is not registered at the time, i.e., there 
>> is no registered contact for C. This results in a 4xx 
>> response to A. How do we ensure that the identity of C is not 
>> disclosed to A, in line with what is achieved when D is registered?
>>> 
>>> John
>>> 
>>> _______________________________________________
>>> sipcore mailing list
>>> sipcore@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sipcore
>> 
>>