Re: [urn] Stephen Farrell's Abstain on draft-ietf-urnbis-rfc2141bis-urn-21: (with COMMENT)

[Martin J. Dürst <duerst@it.aoyama.ac.jp>]

On 2017/03/02 17:11, Stephen Farrell wrote:
>
> Hiya,
>
> On 02/03/17 03:14, Peter Saint-Andre wrote:

>> Perhaps you could clarify what some of your concerns are here, above and
>> beyond the use of URIs in general (after all, a URN is a URI). Reading
>> between the lines, I imagine you might be worried that URNs within a
>> particular URN namespace (e.g., for U.S. Social Security Numbers or the
>> like) - once suitably resolved into one or more URLs - might enable an
>> attacker to determine a person's physical location (e.g., via IP
>> address) or actual identity (e.g., a pseudonym could "resolve" to a real
>> name). Are these guesses on the mark?
>
> Yep. Perhaps things like including an IMSI or IMEI (or
> values easily correlated with such) in the NSS part is
> what it'd useful to call out. I'm not sure if there are
> real examples of such in existing URNs but if there were

https://datatracker.ietf.org/doc/rfc7254/history/

Regards,   Martin.

> it'd be a fine thing to note that including such things
> imposes (often unmet) requirements for e.g. confidentiality
> on protocols and applications that use those URNs. If
> may also be useful to say that things like hashing the
> privacy sensitive value before inclusion in the URN don't
> prevent correlation and can be as "good" for re-identification
> as the non-hashed value.