RE: [Sipping-emergency] Comment about Charter [no privacy?]
Tschofenig Hannes <hannes.tschofenig@siemens.com> Fri, 29 October 2004 13:27 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27921 for <sipping-emergency-web-archive@ietf.org>; Fri, 29 Oct 2004 09:27:26 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNX1C-0006uZ-2M for sipping-emergency-web-archive@ietf.org; Fri, 29 Oct 2004 09:42:14 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNWhW-0007Jw-6C; Fri, 29 Oct 2004 09:21:54 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNWV0-00085C-J9 for sipping-emergency@megatron.ietf.org; Fri, 29 Oct 2004 09:08:58 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26943 for <sipping-emergency@ietf.org>; Fri, 29 Oct 2004 09:08:57 -0400 (EDT)
Received: from thoth.sbs.de ([192.35.17.2]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNWjI-0006ad-2J for sipping-emergency@ietf.org; Fri, 29 Oct 2004 09:23:44 -0400
Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by thoth.sbs.de (8.12.6/8.12.6) with ESMTP id i9TD8ofO015350; Fri, 29 Oct 2004 15:08:50 +0200
Received: from mchp9daa.mch.sbs.de (mchp9daa.mch.sbs.de [139.25.137.99]) by mail3.siemens.de (8.12.6/8.12.6) with ESMTP id i9TD8nBO013506; Fri, 29 Oct 2004 15:08:49 +0200
Received: by mchp9daa.mch.sbs.de with Internet Mail Service (5.5.2657.72) id <4BVR8FQ5>; Fri, 29 Oct 2004 15:08:49 +0200
Message-ID: <2A8DB02E3018D411901B009027FD3A3F04686949@mchp905a.mch.sbs.de>
From: Tschofenig Hannes <hannes.tschofenig@siemens.com>
To: 'Brian Rosen' <br@brianrosen.net>, 'James Winterbottom' <winterb@nortelnetworks.com>, "'James M. Polk'" <jmpolk@cisco.com>, sipping-emergency@ietf.org
Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?]
Date: Fri, 29 Oct 2004 15:08:39 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 850245b51c39701e2700a112f3032caa
X-BeenThere: sipping-emergency@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: sipping-emergency.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping-emergency@ietf.org>
List-Help: <mailto:sipping-emergency-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=subscribe>
Sender: sipping-emergency-bounces@ietf.org
Errors-To: sipping-emergency-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2a9ffb6f997442a3b543bcdaf483b990
# hi brian, # thanks for raising these issues. please see my comments inline: From: Brian Rosen [mailto:br@brianrosen.net] Sent: Freitag, 29. Oktober 2004 14:07 To: Tschofenig Hannes; 'James Winterbottom'; 'James M. Polk'; sipping-emergency@ietf.org Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?] This is a good point. This points out a common tension between groups seeking authenticity and groups seeking privacy. # i fully agree with you that there is always different entities with different requirements (which are, unfortunately, often conflicting). The emergency call authorities reasonably want to prevent forging of location, which could be used to direct responders away from something bad about to happen. Individuals do not want their location to be able to be tracked in some circumstances. # i guess that the threat model is a bit more complicated (just some preliminary thoughts): you need to worry about - the end host (which might not always be trustworthy) - intermediate sip proxies - the emergency center - entities providing the location information (e.g., dhcp server, some nodes in the network, etc.) - entities which just observe the communication (e.g., on a wireless link) - entities which can actively participate in the communication (as a mitm adversary) In North America, the tension between privacy and location authenticity is solved with legislation: the privacy right is explicitly waived when an emergency call is placed. It would be interesting to know if this is not the case in other areas. This is a geopriv issue, but we might have to send some requirements to them over the issue. # the geopriv working group will be pleased to see the requirements but the requirements document has been finalized some time ago. if there are new requirements which lead to new protocol mechanisms (which i am not sure) then they new work needs to be started. at the moment i, however, think that the individual building blocks just need to be combined in a useful fashion. Recognize that automatic reporting of location is implemented because all too often the caller does not know where they are, or is unable to communicate where they are, to the call taker. When you make an emergency call, you MUST provide location, and in every jurisdiction, it would be a crime to falsely report your location. # true. that's even true today but too often some folks do not care about this issue. one way to limit this problem is to verify (or add location information) by the outbound proxy. this, however, has its own limitations, as you know. I would think that given the history in geopriv over this issue, that we aren't going to get IETF to publish an RFC where not reporting location is incompliant with a spec; we have a sufficient number of people who feel passionately that an individual cannot be COMPELLED to report location. This is quite easily dealt with by using SHOULD language. The emergency call system can choose to accept such calls or not, as local regulations dictate. The most straightforward method of providing authentication would be to have the location object signed by a trusted entity. I've had a running dialog with James Winterbottom and his co-authors on this subject; I maintain it is not practical to always have a trusted entity, but let's say, for this discussion, that there is. If only the location object itself is signed, and no other identifying piece of information that attaches an identity to the location, then you can assure that the location report itself has not been modified, but you don't know that the object represents the location of the entity presenting it (you are subject to a replay attack). The only way to be assured that the location object represents the entity presenting it would be to have a credential or other identifier in the signed object that was verifiable by the entity receiving the call as belonging to the entity placing the call. I have no idea what such a credential/identifier could be because, as I will show, the entity that could reasonably sign the LO doesn't have any identity for the entity placing the call when it has to sign the object; they are entirely disconnected from one another. This thread is about how to make sure that whatever identifier is used, it can't be used to specifically identify a person. That still doesn't solve the problems of what entities could reasonably assert location validation, and how any form of anonymous, but authenticated, location could be provided. I have no suggestions. # digitally signing the location object does not prevent replay attacks. that's for sure. however, in combination with some other mechanisms i think that a deployable system can be developed. as an example, if you have a location object which is not signed by the end host itself but rather by a different entity then you can combine it with sip specific security mechanisms (such as s/mime protection) to indicate to the emergency center that you placed the call. in any case you need to differentiate between the case where the end host generated the location object and a case where this is done by a third party (for example because the end host does not know its own location information). the location object needs to indicate the target identity and this information is provided by pidf-lo: " The GEOPRIV requirements [10] (or REQ for short) specify the need for a name for the person, place or thing that location information describes (REQ 2.1). PIDF has such an identifier already, since every PIDF document has an "entity" attribute of the 'presence' element that signifies the URI of the entity whose presence the document describes. " (section 2.1 of http://www.ietf.org/internet-drafts/draft-ietf-geopriv-pidf-lo-03.txt) i think that these different aspects will be written down somewhere. (maybe they are already covered by some of the drafts.) ciao hannes Brian ________________________________ From: sipping-emergency-bounces@ietf.org [mailto:sipping-emergency-bounces@ietf.org] On Behalf Of Tschofenig Hannes Sent: Friday, October 29, 2004 4:14 AM To: 'James Winterbottom'; James M. Polk; sipping-emergency@ietf.org Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?] hi james, every document will have to address both privacy and security considerations. the geopriv requirements draft gives a number of guidelines but more work is needed when you apply it to an actual using protocol (such as sip). the fact that you have pseudonyms is nice but still there are some places where user names show up. for example, end-to-end security mechanisms provide the recipient a way to authenticate you (and authorizate you based on your authenticated identity) but if you want to experience anonymity then the authorization functionality at the recipient is certainly more difficult. ciao hannes ________________________________ From: James Winterbottom [mailto:winterb@nortelnetworks.com] Sent: Freitag, 29. Oktober 2004 08:32 To: James M. Polk; sipping-emergency@ietf.org Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?] Hi James, Doesn't "draft-ietf-geopriv-pres-02" suggest that a location server/generator is able to transmit a location to a location recipient, be that the target itself, or someone else. I believe that this is also covered in RFC-3693 GeoPriv Requirements. In order to be able to transmit a location, one must first be able to determine it!!! For the purposes of transmitting location pseudonyms are also used, so I am not sure where the tying to a user name comes in. What was submitted by me is a set of requirements that the authors believe need to be satisfied in order to meet the needs of emergency service providers. There has been no discussion of not using or varying the existing GeoPriv rulesets. Cheers James -----Original Message----- From: sipping-emergency-bounces@ietf.org [mailto:sipping-emergency-bounces@ietf.org] Sent: Friday, 29 October 2004 3:07 PM To: sipping-emergency@ietf.org Subject: [Sipping-emergency] Comment about Charter [no privacy?] All In reading the charter for our new ECRIT BOF, I don't see mention of privacy concerns wrt the ability to track an endpoint based on some Loc Info Server (LIS) always knowing where that endpoint is (if nomadic or mobile), or tying a user(name) to a particular endpoint (regardless of what type it is). I thought privacy was agreed upon to be mentioned as a consideration? I know at least Jonathan and I brought it up, and I think I remember Jon agreeing to this consideration. We do not want to ignore the retention and distribution rules we so carefully built into the PIDF-LO cheers, James ******************* Truth is not to be argued... it is to be presented _______________________________________________ Sipping-emergency mailing list Sipping-emergency@ietf.org https://www1.ietf.org/mailman/listinfo/sipping-emergency _______________________________________________ Sipping-emergency mailing list Sipping-emergency@ietf.org https://www1.ietf.org/mailman/listinfo/sipping-emergency
- RE: [Sipping-emergency] Comment about Charter [no… McCalmont, Patti
- [Sipping-emergency] Comment about Charter [no pri… James M. Polk
- RE: [Sipping-emergency] Comment about Charter [no… James Winterbottom
- RE: [Sipping-emergency] Comment about Charter [no… Tschofenig Hannes
- RE: [Sipping-emergency] Comment about Charter [no… Tschofenig Hannes
- RE: [Sipping-emergency] Comment about Charter [no… Brian Rosen
- RE: [Sipping-emergency] Comment about Charter [no… Tschofenig Hannes
- Re: [Sipping-emergency] Comment about Charter [no… Henning Schulzrinne
- RE: [Sipping-emergency] Comment about Charter [no… Marc Linsner
- RE: [Sipping-emergency] Comment about Charter [no… James M. Polk
- RE: [Sipping-emergency] Comment about Charter [no… James M. Polk
- RE: [Sipping-emergency] Comment about Charter [no… James Winterbottom