[VIPR] Using only method "b" for privacy
Marc Petit-Huguenin <petithug@acm.org> Mon, 17 October 2011 15:49 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 9BA2E21F8CDE for <vipr@ietfa.amsl.com>;
Mon, 17 Oct 2011 08:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.036
X-Spam-Level:
X-Spam-Status: No, score=-102.036 tagged_above=-999 required=5 tests=[AWL=0.564,
BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kejyr0PH1Oe for
<vipr@ietfa.amsl.com>; Mon, 17 Oct 2011 08:49:40 -0700 (PDT)
Received: from implementers.org (implementers.org
[IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with
ESMTP id DEA4B21F8CDD for <vipr@ietf.org>;
Mon, 17 Oct 2011 08:49:39 -0700 (PDT)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org
[IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher
AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org"
(verified OK)) by implementers.org (Postfix) with ESMTPS id 853762025C for
<vipr@ietf.org>; Mon, 17 Oct 2011 15:41:52 +0000 (UTC)
Message-ID: <4E9C4E92.1060703@acm.org>
Date: Mon, 17 Oct 2011 08:49:38 -0700
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.2.23) Gecko/20111010 Iceowl/1.0b2 Icedove/3.1.15
MIME-Version: 1.0
To: "vipr@ietf.org" <vipr@ietf.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: [VIPR] Using only method "b" for privacy
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>,
<mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>,
<mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 15:49:40 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 During the conference call last Friday, we had a discussion on which the conclusion was that privacy conscious VIPR domains could simply require the use of method "b" for validation, as this method does not send the Caller-ID in the PVP login, and so does not disclose the phone number of the callers to VIPR domains that registers the phone number of one of their competitors. Unfortunately, I do not think that doing this would work. Here's a diagram explaining that: DomainA RELOAD DomainB DomainC | | Store| | 1 | |<-------| Store | 2 | |<-------------------| : : : : | SETUP | | | 3 |~~~~~~~~~~~~~~~~~~~~~| | | | | | 4 |<~~~~~~~~~~~~~~~~~~~~| | : : : : | Fetch | | | 5 |----------->| | | | PVP | | | 6 |::::::::::::::::::::::::::::::::X| | PVP | | | 7 |::::::::::::::::::::>| | | | | | In 1, the legitimate "owner" of the phone number registers a mapping between this number and its PVP server in the distributed RELOAD database. In 2, a competitor registers its own PVP server for the same phone number. In 3 and 4 we have the PSTN call itself, that generates the originating VCR in domain A and the terminating VCR in domain B. Shortly after this, 5 shows that DomainA retrieved the mappings for the called phone number, and so retrieved the address of the PVP servers from DomainB and DomainC, without knowing which one is the "owner". It starts a PVP transaction with both of them, with the transaction to DomainC failing because DomainC does not know the PVP secret, and the one with DomainB succeeding. Now even if DomainB is privacy conscious and refuses to process PVP transactions using methods "a", that does not prevent DomainC to accept transactions using methods "a", and so permitting it to learn the caller number. Even using the registration mechanism, where the Store also contains the list of methods supported by a specific endpoint, does not fix this problem. The problem here is that DomainA needs to be privacy conscious on behalf of the remote domains, and never use method "a". One simple solution is to never even define method "a", so it can never be used. That is a change from what was discussed during the conference call, which was to keep method "a" and "b" as they are, and to define better methods. - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6cTpEACgkQ9RoMZyVa61cdlgCdEOdZT6gQbJcCWxXZr0CJOtxb KxEAnRAQGvMEVThQE+DrVP8JnPYVoy2X =h5qq -----END PGP SIGNATURE-----
- [VIPR] Using only method "b" for privacy Marc Petit-Huguenin