>Hi Ted,
>
>Just to test the water by analogy... if there's a web page wherein you
>type in your home address and it gives you the location of the
>nearest... say... Ikea, is it a security problem that the web site
>doesn't really know if that's your address?
>
>Maybe that's a bad example because it involves "location"; that's not
>the salient point. If it's a web page where I can type in my age,
>weight, dietary habits etc and obtain an estimate of the probability of
>having a heart attack; is it a security problem if the web site doesn't
>really know if I'm typing in details that are applicable to me?
>
I think the critical point is "doesn't really know". A web page, obviously,
doesn't know anything. But it's pretty telling that we use the term identifiers
(or identity extensions) for these bits. They can be long term identifiers
and they can be used to associate other identities with the information passed.
How that association might work is opaque to the end user up until the point
all their google ad words are about blood thinners and their life insurance rates
go up.
To take a simple example, the geo URI draft has a location example. The
geo URI has no identity associated with the location--yet the draft notes
in the text that it is the address of one of the authors. The number of times
it may be possible to bind location to identity is higher than the end user might think,
and it is particularly important to recognize that it happens more easily when
you are keying the location off a long-lived identifier (or identity).
I think that means we would be safer making those distributions pidf-lo,
rather than lci; we'd have the opportunity to use the tools pidf-lo has.
Having made one exception, though, the group seems inclined to make more.
When we made the first one for DHCP, Jon bet me a drink that it would be
the thin edge of the wedge on this issue; I paid off long ago, but it's probably
time to pay up again. He's been shown to be right on this one again and again.
regards,
Ted
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
