I'm going to try to frame this debate a little bit.
Let's start from the assumption that identity extensions are necessary
for third-party/OBO queries. My impression is that people are OK with
the case where identifiers are included in queries from specific,
authenticated, authorized entities (e.g., public safety authorities).
Now, we want to make sure that these extensions are not abused to gain
unauthorized access to location. So if we were to put forward a
document defining identity extensions for third-party queries. We would
then have two options:
1. Forbid the use of identifiers in LCP requests, or
2. Assume that LCP usage is inevitable and require verification
Consider case (2) first. The recommendation that we would want to make
is for the LS to verify that the identifier actually corresponds to the
target. However, the identifiers in question will necessarily not be
IP-layer identifiers (or else there would be no problem). That means
that we can't define an Internet-standard mechanism for this
verification -- mechanisms will have to be network-specific. So we're
left making a vague statement that has to be re-interpreted for each
network (or type of network). Not very satisfying, but basically all
that can be done.
Now, in case (1), we have to come up with some standards language to
accomplish this prohibition. Following our general goal, we would want
something like, "The LS MUST authenticate requestors and apply
authorization policy to requests containing identity extensions."
However, what I've been calling the LCP Policy -- "For every location
object, the Target of that LO is authorized" -- is a valid policy. (You
might even be able to express it in common-policy, if you had one entry
per LO.) And that puts us back into case (2).
This argument seems to me to imply that if we are to enable support for
the third party requests that the emergency services community is
requesting, then we will be stuck with the LCP usage as well, for which
we can write recommendations that are unsatisfactory, but possibly clear
enough for implementors to understand. If one accepts this implication,
we're left with a choice:
1. Provide support for third party requests and do our best on LCP use
2. Do nothing at all
My impression is that if we follow course (2) and do nothing, then the
parties that are asking for us to do something (NENA, NICC, etc.) will
invent something anyway. Following course (1) would then not create
anything that wouldn't be created anyway, and it would have the
potential benefits of increasing interoperability and allowing this
group to have some say over the privacy constraints.
So, to sum all that up, I think we should aim for some recommendations
and privacy constraints on LCP usage of identifiers and move on.
--Richard
</individual-hat>
Alissa Cooper wrote:
> Minutes - GEOPRIV Virtual Interim, 15 Sept 2009
>
> An audio recording is available at
> https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=40370402&rKey=2d44cf3511d663ea
>
>
> Summary (prepared by Alissa and Richard, with thanks to Marc for taking
> notes):
>
> Intro
> -- No agenda bashes
>
> GEOPRIV Arch discussion
> -- Definition of a LIS
> -- Looked at how it's used colloquially, other SDOs' definitions
> -- Marc: Heartburn over "LCP"
> -- LIS shouldn't have to worry about policy
> -- Don't want LC defined as just giving a Target its own location
> -- Hannes: Trying to make what we're talking about more explicit
> -- James P: Keith noted that we can't rule out DHCP as an LC
> protocol, which means arch has to be consistent
> ** Marc: LCP should be "LIS doesn't do any checking"
> -> e.g., identifiers that aren't verified by the underlying
> protocol, no explicit policy-checking mechanism
> -- Device vs. Target
> -- James P will more clearly articulate his issue on the list
>
> LOC-FILTERS
> -- James P is concerned about conflict with location-conveyance
> -- Hannes will verify that there's no conflict
> -- James P and Carl will provide reviews by Hiroshima
> -- Hannes trying to work out what to do with error codes
> -- Recommendation to figure out semantics and then check with Adam
>
> DHCP-LBYR-URI
> -- This rev tries to resolve Hannes' comments
> -- Accepts most of them
> -- Didn't understand a few
> -- Hannes: Concerned about authorization models
> -- James P and Hannes agreed that the auth model issue appears to
> have been resolved
> -- Richard: Give people time to read most recent list posting
> -- Richard: HTTP URIs still missing
> -- James P will get with Ted to figure this out
>
>
>
>
>
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv
>
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
