IETF Logo Mail Archive

Re: [Sipping-emergency] Comment about Charter [no privacy?]

Henning Schulzrinne <hgs@cs.columbia.edu> Fri, 29 October 2004 13:58 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA00736 for <sipping-emergency-web-archive@ietf.org>; Fri, 29 Oct 2004 09:58:24 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNXVA-0007gO-DJ for sipping-emergency-web-archive@ietf.org; Fri, 29 Oct 2004 10:13:12 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNX4r-0002FA-KK; Fri, 29 Oct 2004 09:46:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNWkt-0008BW-B9 for sipping-emergency@megatron.ietf.org; Fri, 29 Oct 2004 09:25:23 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27842 for <sipping-emergency@ietf.org>; Fri, 29 Oct 2004 09:25:21 -0400 (EDT)
Received: from cs.columbia.edu ([128.59.16.20]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNWzA-0006sp-TB for sipping-emergency@ietf.org; Fri, 29 Oct 2004 09:40:09 -0400
Received: from razor.cs.columbia.edu (IDENT:6mc5FF81K7VbCSe5n/JAfoomfO3YiWLI@razor.cs.columbia.edu [128.59.16.8]) by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id i9TDOxRX021774; Fri, 29 Oct 2004 09:25:00 -0400 (EDT)
Received: from [127.0.0.1] (IDENT:rpjv+HT5SShSFGym7k8M0SymoMrHzcAX@localhost [127.0.0.1]) by razor.cs.columbia.edu (8.12.10/8.12.10) with ESMTP id i9TDOwXH006868; Fri, 29 Oct 2004 09:24:58 -0400
Message-ID: <41824442.1010609@cs.columbia.edu>
Date: Fri, 29 Oct 2004 09:23:14 -0400
From: Henning Schulzrinne <hgs@cs.columbia.edu>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Brian Rosen <br@brianrosen.net>
Subject: Re: [Sipping-emergency] Comment about Charter [no privacy?]
References: <200410291208.IAA22088@ietf.org>
In-Reply-To: <200410291208.IAA22088@ietf.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2004.10.29.0
X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_VERSION 0, __SANE_MSGID 0'
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by cs.columbia.edu id i9TDOxRX021774
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43
Content-Transfer-Encoding: quoted-printable
Cc: "'James M. Polk'" <jmpolk@cisco.com>, sipping-emergency@ietf.org, 'Tschofenig Hannes' <hannes.tschofenig@siemens.com>
X-BeenThere: sipping-emergency@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: sipping-emergency.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping-emergency@ietf.org>
List-Help: <mailto:sipping-emergency-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=subscribe>
Sender: sipping-emergency-bounces@ietf.org
Errors-To: sipping-emergency-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Content-Transfer-Encoding: quoted-printable

Brian Rosen wrote:

> I would think that given the history in geopriv over this issue, that we 
> aren’t going to get IETF to publish an RFC where not reporting location 
> is incompliant with a spec; we have a sufficient number of people who 
> feel passionately that an individual cannot be COMPELLED to report 
> location.  This is quite easily dealt with by using SHOULD language.  
> The emergency call system can choose to accept such calls or not, as 
> local regulations dictate. 

It's a bit more complicated than that, as there are at least three 
reasons not to provide location:

(1) The calling end system (and elements along the call path) may not 
know the location; this is obviously going to be quite common, 
particularly in the early days. Having the PSAP refuse all such calls 
seems unwise.

(2) The caller may refuse to give his location for good or bad reasons.

(3) The caller may not be at the scene of the emergency or may report a 
non-emergency-related issue and have a legitimate interest not to report 
his location or identity. (I suspect quite a few crime tips are phoned 
into 911, even though they might not be emergencies as such.)

I don't think we need to deal with (3). A PSAP could simply tell the 
caller that the call location is recorded and provide an anonymous tip 
line number.

I don't think including "sorry, I wish I could provide my location, but 
I can't" is particularly useful since bad guys will have little 
compunction about fibbing.

In addition, "providing location" is not binary. I might decide or be 
able to provide location sufficient to route the call (e.g., town 
level), but not to dispatch a fire engine (house level).

I'm not sure what to do about this. In classical 911, this is easy since 
the system can compel you to provide location.

In practice, I don't think this is as big a problem. People routinely 
call 911 from payphones or non-phase-II cell phones today, where even 
knowing the location doesn't exactly help you to find malicious callers.

The best we can probably do is to provide degrees of assurance so that 
the responder can better tell if he should be suspicious of the call and 
maybe question the caller a bit more. ("What's the name of the cross 
street? How come it's dead quiet in the background when you're on 
Broadway and 42nd street?")

> 
>  
> 
> The most straightforward method of providing authentication would be to 
> have the location object signed by a trusted entity.  I’ve had a running 
> dialog with James Winterbottom and his co-authors on this subject; I 
> maintain it is not practical to always have a trusted entity, but let’s 
> say, for this discussion, that there is.  If only the location object 
> itself is signed, and no other identifying piece of information that 
> attaches an identity to the location, then you can assure that the 
> location report itself has not been modified, but you don’t know that 
> the object represents the location of the entity presenting it (you are 
> subject to a replay attack).   The only way to be assured that the 
> location object represents the entity presenting it would be to have a 
> credential or other identifier in the signed object that was verifiable 
> by the entity receiving the call as belonging to the entity placing the 
> call.  I have no idea what such a credential/identifier could be 
> because, as I will show, the entity that could reasonably sign the LO 
> doesn’t have any identity for the entity placing the call when it has to 
> sign the object; they are entirely disconnected from one another.  This 
> thread is about how to make sure that whatever identifier is used, it 
> can’t be used to specifically identify a person.  That still doesn’t 
> solve the problems of what entities could reasonably assert location 
> validation, and how any form of anonymous, but authenticated, location 
> could be provided.  I have no suggestions.
> 
>  
> 
> Brian

_______________________________________________
Sipping-emergency mailing list
Sipping-emergency@ietf.org
https://www1.ietf.org/mailman/listinfo/sipping-emergency

v2.23.0 | Report a Bug | By Email