IETF Logo Mail Archive

RE: [Sipping-emergency] Comment about Charter [no privacy?]

"James M. Polk" <jmpolk@cisco.com> Fri, 29 October 2004 17:40 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18324 for <sipping-emergency-web-archive@ietf.org>; Fri, 29 Oct 2004 13:40:22 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNaxz-0004Gd-PV for sipping-emergency-web-archive@ietf.org; Fri, 29 Oct 2004 13:55:12 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNaf3-0006ay-5t; Fri, 29 Oct 2004 13:35:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CNaYQ-0008W3-7g for sipping-emergency@megatron.ietf.org; Fri, 29 Oct 2004 13:28:46 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17594 for <sipping-emergency@ietf.org>; Fri, 29 Oct 2004 13:28:43 -0400 (EDT)
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CNamg-000415-Rc for sipping-emergency@ietf.org; Fri, 29 Oct 2004 13:43:34 -0400
Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-1.cisco.com with ESMTP; 29 Oct 2004 10:39:31 -0700
X-BrightmailFiltered: true
Received: from wells.cisco.com (wells.cisco.com [171.71.177.223]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id i9THRgQ0021543; Fri, 29 Oct 2004 10:27:42 -0700 (PDT)
Received: from jmpolk-w2k01.diablo.cisco.com (ssh-sjc-1.cisco.com [171.68.225.134]) by wells.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with ESMTP id KAA11934; Fri, 29 Oct 2004 10:27:41 -0700 (PDT)
Message-Id: <4.3.2.7.2.20041029122059.02762bf8@localhost>
X-Sender: jmpolk@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 29 Oct 2004 12:27:42 -0500
To: Brian Rosen <br@brianrosen.net>, 'Tschofenig Hannes' <hannes.tschofenig@siemens.com>, 'James Winterbottom' <winterb@nortelnetworks.com>, sipping-emergency@ietf.org
From: "James M. Polk" <jmpolk@cisco.com>
Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?]
In-Reply-To: <3hr0l2$7q69t@sj-inbound-c.cisco.com>
References: <2A8DB02E3018D411901B009027FD3A3F04686938@mchp905a.mch.sbs.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 1.1 (+)
X-Scan-Signature: e472ca43d56132790a46d9eefd95f0a5
X-BeenThere: sipping-emergency@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: sipping-emergency.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping-emergency@ietf.org>
List-Help: <mailto:sipping-emergency-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping-emergency>, <mailto:sipping-emergency-request@ietf.org?subject=subscribe>
Sender: sipping-emergency-bounces@ietf.org
Errors-To: sipping-emergency-bounces@ietf.org
X-Spam-Score: 1.1 (+)
X-Scan-Signature: 0cff8c3ec906d056784362c06f5f88c1

If all documents have to address privacy and security in compliance to that 
which was specifically addressed in Geopriv, and these two topics were 
already discussed on this list for inclusion in the charter, then why not 
agree to add the text?

At 08:07 AM 10/29/2004 -0400, Brian Rosen wrote:

>This is a good point.
>
>This points out a common tension between groups seeking authenticity and 
>groups seeking privacy.
>
>The emergency call authorities reasonably want to prevent forging of 
>location, which could be used to direct responders away from something bad 
>about to happen.  Individuals do not want their location to be able to be 
>tracked in some circumstances.
>
>In North America, the tension between privacy and location authenticity is 
>solved with legislation: the privacy right is explicitly waived when an 
>emergency call is placed.  It would be interesting to know if this is not 
>the case in other areas.  This is a geopriv issue, but we might have to 
>send some requirements to them over the issue.
>
>Recognize that automatic reporting of location is implemented because all 
>too often the caller does not know where they are, or is unable to 
>communicate where they are, to the call taker.   When you make an 
>emergency call, you MUST provide location, and in every jurisdiction, it 
>would be a crime to falsely report your location.
>
>I would think that given the history in geopriv over this issue, that we 
>aren t going to get IETF to publish an RFC where not reporting location is 
>incompliant with a spec; we have a sufficient number of people who feel 
>passionately that an individual cannot be COMPELLED to report 
>location.  This is quite easily dealt with by using SHOULD language.  The 
>emergency call system can choose to accept such calls or not, as local 
>regulations dictate.
>
>The most straightforward method of providing authentication would be to 
>have the location object signed by a trusted entity.  I ve had a running 
>dialog with James Winterbottom and his co-authors on this subject; I 
>maintain it is not practical to always have a trusted entity, but let s 
>say, for this discussion, that there is.  If only the location object 
>itself is signed, and no other identifying piece of information that 
>attaches an identity to the location, then you can assure that the 
>location report itself has not been modified, but you don t know that the 
>object represents the location of the entity presenting it (you are 
>subject to a replay attack).   The only way to be assured that the 
>location object represents the entity presenting it would be to have a 
>credential or other identifier in the signed object that was verifiable by 
>the entity receiving the call as belonging to the entity placing the 
>call.  I have no idea what such a credential/identifier could be because, 
>as I will show, the entity that could reasonably sign the LO doesn t have 
>any identity for the entity placing the call when it has to sign the 
>object; they are entirely disconnected from one another.  This thread is 
>about how to make sure that whatever identifier is used, it can t be used 
>to specifically identify a person.  That still doesn t solve the problems 
>of what entities could reasonably assert location validation, and how any 
>form of anonymous, but authenticated, location could be provided.  I have 
>no suggestions.
>
>
>
>Brian
>
>
>
>----------
>From: sipping-emergency-bounces@ietf.org 
>[mailto:sipping-emergency-bounces@ietf.org] On Behalf Of Tschofenig Hannes
>Sent: Friday, October 29, 2004 4:14 AM
>To: 'James Winterbottom'; James M. Polk; sipping-emergency@ietf.org
>Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?]
>
>
>
>hi james,
>
>
>
>every document will have to address both privacy and security 
>considerations. the geopriv requirements draft gives a number of 
>guidelines but more work is needed when you apply it to an actual using 
>protocol (such as sip). the fact that you have pseudonyms is nice but 
>still there are some places where user names show up. for example, 
>end-to-end security mechanisms provide the recipient a way to authenticate 
>you (and authorizate you based on your authenticated identity) but if you 
>want to experience anonymity then the authorization functionality at the 
>recipient is certainly more difficult.
>
>
>
>ciao
>
>hannes
>
>
>
>----------
>From: James Winterbottom [mailto:winterb@nortelnetworks.com]
>Sent: Freitag, 29. Oktober 2004 08:32
>To: James M. Polk; sipping-emergency@ietf.org
>Subject: RE: [Sipping-emergency] Comment about Charter [no privacy?]
>Hi James,
>
>Doesn't "draft-ietf-geopriv-pres-02" suggest that a location 
>server/generator is able to transmit a location to a location recipient, 
>be that the target itself, or someone else. I believe that this is also 
>covered in RFC-3693 GeoPriv Requirements. In order to be able to transmit 
>a location, one must first be able to determine it!!! For the purposes of 
>transmitting location pseudonyms are also used, so I am not sure where the 
>tying to a user name comes in.
>What was submitted by me is a set of requirements that the authors believe 
>need to be satisfied in order to meet the needs of emergency service 
>providers. There has been no discussion of not using or varying the 
>existing GeoPriv rulesets.
>
>
>Cheers
>James
>
>
>-----Original Message-----
>From: sipping-emergency-bounces@ietf.org 
>[<mailto:sipping-emergency-bounces@ietf.org>mailto:sipping-emergency-bounces@ietf.org] 
>
>Sent: Friday, 29 October 2004 3:07 PM
>To: sipping-emergency@ietf.org
>Subject: [Sipping-emergency] Comment about Charter [no privacy?]
>
>
>
>All
>
>In reading the charter for our new ECRIT BOF, I don't see mention of
>privacy concerns wrt the ability to track an endpoint based on some Loc
>Info Server (LIS) always knowing where that endpoint is (if nomadic or
>mobile), or tying a user(name) to a particular endpoint (regardless of what
>type it is).
>
>I thought privacy was agreed upon to be mentioned as a consideration?
>
>I know at least Jonathan and I brought it up, and I think I remember Jon
>agreeing to this consideration.
>
>We do not want to ignore the retention and distribution rules we so
>carefully built into the PIDF-LO
>
>cheers,
>James
>
>                                 *******************
>                  Truth is not to be argued... it is to be presented
>
>
>
>_______________________________________________
>Sipping-emergency mailing list
>Sipping-emergency@ietf.org 
><https://www1.ietf.org/mailman/listinfo/sipping-emergency>https://www1.ietf.org/mailman/listinfo/sipping-emergency 
>


cheers,
James

                                *******************
                 Truth is not to be argued... it is to be presented


_______________________________________________
Sipping-emergency mailing list
Sipping-emergency@ietf.org
https://www1.ietf.org/mailman/listinfo/sipping-emergency

v2.23.0 | Report a Bug | By Email