exactly? Is it an understanding that a VSP allowed to contact the PSAP will
only
interconnect with other carriers that it deems sufficiently trustworthy and
that
demonstrate an ability/willingness to trace/investigate/prevent prank calls?
If so, what happens if an individual attempts to make an emergency call from
a
VSP that does not satisfy those conditions (e.g. a provider that, say,
enables
emergency calls to be made from the IP-equivalent of a Trac phone)? Or are
all VSPs somehow "inherently trustworthy" as are all potential transitive
trust
paths?
Issues of "transitive trust" and expectations of customer facing providers
also
arise at lower layers. This isn't just about authentication, it's also
about
tracing and audit, as SAVI WG demonstrates.
In these kind of discussions, it can be quite helpful to attempt to write
down
exactly what security properties are desired and under what
conditions/assumptions
they can be delivered. This may not lead to any conclusions, but at least
we'll
have a clear understanding of what the key assumptions are and when they can
be
expected to be valid.
-----Original Message-----
From: ecrit-bounces@ietf.org [mailto:ecrit-bounces@ietf.org] On Behalf Of
Richard Barnes
Sent: Tuesday, October 27, 2009 7:39 AM
To: Brian Rosen
Cc: ecrit@ietf.org
Subject: Re: [Ecrit] FW: [Geopriv] Winterbottom-ecrit-direct considered
Brian,
Is the security goal here more access control (i.e., controlling who
can send calls to a PSAP) or attribution/identification for post-hoc
action.
If it's the latter, then ISTM that the problem can largely be reduced
to having a certificate infrastructure that binds authenticated
identities to real-world entities. The "extended validation"
certificates that current commercial CAs issue seem to largely satisfy
this requirement.
--Richard
On Oct 27, 2009, at 4:31 PM, Brian Rosen wrote:
> Of course not all VSPs will have trust relationships with all
> PSAPs. One
> can hope that long term, we can evolve to transitive trust
> relationships
> that work pretty well cross border.
>
> The emergency guys are actually terrified of private/individual
> domains
> sending them calls, and we're telling them we expect that to be
> possible,
> but rare, and we're giving them mechanisms that will effectively
> allow them
> to turn off calls selectively, based on factors including what
> domain the
> call comes from. They expect that such calls will be one of the
> loopholes
> where they get equivalents to sim-less calls, which drive them
> nuts. They
> don't want ANY calls that don't come from service providers,
> although they
> seem to be okay with the notion that the SP may not have great
> identity (AOL
> being a poster child). So, while indeed they understand, and have
> concerns
> about having to take calls from Sierra Leone VoIP services Pty, they
> would
> much rather have a call that went through them then a call that went
> through
> no service provider at all.
>
> I'm not trying to make calls direct from devices or private domains
> impossible, but I think the notion that we're promoting them is a
> very bad
> idea until we have effective mechanisms to prevent abuse.
>
> Brian
>
>
>
>
> On 10/27/09 9:02 AM, "Marc Linsner" <mlinsner@cisco.com> wrote:
>
>> Brian,
>>
>> I'm a little confused. I don't remember you objecting to
>> requirement RE1
>> from RFC5012 and I remember your use case about a Sierra Leone VSP.
>>
>> Are you implying that *all* VSPs will have a trust relationships
>> with *all*
>> PSAPs?
>>
>> What is the difference between a call coming from a private/
>> individual
>> domain (as in not a commercial VSP) and a VSP on the other side of
>> the world
>> (outside the jurisdiction)?
>>
>> I'm trying to figure out whether you're objecting to anonymous
>> calls to the
>> PSAP or the mechanisms proposed in this draft?
>>
>> [Don't take this as my endorsement of the draft, as I'm not sure I
>> agree
>> with UAs registering with the ESRP.]
>>
>> -Marc-
>>
>>
>> On 10/26/09 8:59 PM, "Brian Rosen" <br@brianrosen.net> wrote:
>>
>>> First of all, I put it on the wrong email list, sorry about that.
>>>
>>> Then, we have carefully arranged it so that there is no identity
>>> coming from
>>> the access network provider, and because the location is coming
>>> from that
>>> provider, we really don't want to. But even if we did, we would
>>> need a
>>> really good identifier, and there isn't one.
>>>
>>> The problem we have with -direct is anonymous callers, and if they
>>> have any
>>> option, they would also be location-less. Until and unless we get
>>> rid of
>>> anonymity, we can't encourage service provider-less calls. The
>>> draft does
>>> not make any provision to provide any kind of identity. Many
>>> networks
>>> (think free wifi for example) would make providing good identity
>>> difficult.
>>>
>>> The fact is that there is a SERVICE provider in nearly all of the
>>> communications systems. The SERVICE provider is in a position to
>>> assist
>>> the emergency calling system when it needs more information.
>>> That's what a
>>> good SERVICE provider does. Cutting them out is not a great
>>> idea. Most of
>>> the attempts to provide real time communications between people
>>> have evolved
>>> to using service providers, even when there were alternatives. File
>>> transfer via something like Torrent is a counterexample (which
>>> isn't real
>>> time), but even there, you end up with service providers like The
>>> Pirate Bay
>>> (R.I.P) to provide introduction services. I don't think we're
>>> going to see
>>> changes that eliminate service providers, and in this case, they
>>> provide
>>> value to the emergency calling systems. All of the emergency
>>> professionals
>>> I know have issues with service providers, but they would react
>>> with horror
>>> if you suggested cutting them out. Ask them, please.
>>>
>>> So, I claim you have a solution in search of a problem. We have
>>> solved the
>>> "calling network isn't the access network" problem already. Service
>>> providers ARE in the path now, in nearly every case (in fact a
>>> counter
>>> example escapes me, although there probably are some). There is
>>> no movement
>>> I can detect which would change that any time soon; quite the
>>> opposite. We
>>> have a known killer problem without some kind of subscription to a
>>> service
>>> that provides a good identity, for which you provide no answers.
>>> We have
>>> experience with the killer problem: sim-less calling was supposed
>>> to provide
>>> a way to make an emergency call in exactly the kinds of
>>> circumstances you
>>> are describing. Our real world experience is that you create a
>>> huge problem
>>> that diverts resources from helping people to chasing scammers and
>>> flea-market sellers.
>>>
>>> Nothing is perfect: you can get a AIM screen name without a very
>>> good
>>> identity for example. However, the notion that we're going to
>>> provide
>>> direct access without a service provider deliberately, especially
>>> without
>>> really good identity from the access network is, in my opinion not
>>> only a
>>> no, it's a heck no. I'll line up as many emergency service
>>> professionals as
>>> you would like to tell you this is a harmful idea.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 10/26/09 7:56 PM, "Dawson, Martin" <Martin.Dawson@andrew.com>
>>> wrote:
>>>
>>>> I am glad this has come up. It's a debate that has to happen if
>>>> we are to
>>>> move
>>>> beyond a long standing legacy misconception.
>>>>
>>>> In the circuit service world - whether it was POTS or mobile, the
>>>> access
>>>> network had full responsibility for delivering the emergency
>>>> call. In that
>>>> world, routing an emergency call meant getting a circuit
>>>> established to the
>>>> correct call center. In most parts of the world, this was done
>>>> using the
>>>> regional part of the PSTN to switch the circuit to a call center
>>>> on the
>>>> PSTN.
>>>> In some jurisdictions, such as the US, it was done directly from
>>>> the local
>>>> exchange carrier to the call center. Either way, there was no
>>>> third party
>>>> involved.
>>>>
>>>> Now we have the Internet. We still have public access network
>>>> providers.
>>>> They
>>>> switch packets onto the Internet for their subscribers. They can
>>>> similarly
>>>> ensure that packets reach the local emergency call centers.
>>>>
>>>> The fact is that there was no equivalent of a VSP in the
>>>> traditional
>>>> environment. VoIP is a presence service, and it had no common
>>>> equivalent in
>>>> the PSTN world. It could have, but the narrowband state of
>>>> technology and
>>>> the
>>>> common market use cases didn't support its development. By the
>>>> time ISDN
>>>> arrived, the PSTN had already slipped into its palliative stage
>>>> without
>>>> realizing it.
>>>>
>>>> It's an entrenched misconception that because the circuit service
>>>> provided
>>>> by
>>>> exchange carriers was most commonly used for "voice" (but, it
>>>> should be
>>>> noted,
>>>> also for fax, telex, tty, security system monitoring and, even,
>>>> IP data)
>>>> that
>>>> VSPs are somehow equivalent to exchange carriers. They are not.
>>>>
>>>> Indeed, involving VSPs in emergency calls is the Internet
>>>> equivalent of
>>>> involving long distance providers in POTS emergency calls. They
>>>> are neither
>>>> necessary nor particularly helpful; they can't be guaranteed to
>>>> be within
>>>> the
>>>> emergency jurisdiction; depending on them actually diminishes the
>>>> efficacy
>>>> of
>>>> emergency service access. It does not help the caller, the
>>>> emergency
>>>> service,
>>>> nor the third party to insist on the third party's involvement.
>>>>
>>>> It can't be helped if you have over sold the benefits of VSP
>>>> involvement to
>>>> yourself and others Brian. It is time to have a reasoned debate.
>>>> From my
>>>> perspective, the argument that there is no "subscription"
>>>> involved is
>>>> patently
>>>> false. There has to be a subscription of some description in
>>>> order to get to
>>>> the Internet. Yes, there is free public Internet access (just as
>>>> there are
>>>> free courtesy phones on the PSTN and free access to emergency
>>>> services from
>>>> pay phones. All these services are still connected to the public
>>>> Internet
>>>> infrastructure and they all represent an "operator" with some
>>>> level of
>>>> information about the caller.
>>>>
>>>> With the over-emphasis on VSPs, what is missing from the ECRIT
>>>> and i3 models
>>>> is the direct interface for querying the access network for
>>>> subscriber data
>>>> (should it prove necessary). These models need to take the long
>>>> view of how
>>>> emergency calling is done in the Internet age; they should not be
>>>> protracting
>>>> an unnecessary reliance on VSPs.
>>>>
>>>> I have deleted the premature and prejudicial text from the
>>>> subject heading.
>>>> And I'll leave this on ECRIT as the most appropriate WG.
>>>>
>>>> Cheers,
>>>> Martin
>>>>
>>>> -----Original Message-----
>>>> From: ecrit-bounces@ietf.org [mailto:ecrit-bounces@ietf.org] On
>>>> Behalf Of
>>>> Hannes Tschofenig
>>>> Sent: Tuesday, 27 October 2009 8:23 AM
>>>> To: ecrit@ietf.org
>>>> Subject: [Ecrit] FW: [Geopriv] Winterbottom-ecrit-direct
>>>> considered harmful,
>>>> at least given our current experiences
>>>>
>>>> FYI: feedback from Brian regarding a recent ECRIT contribution.
>>>>
>>>>> -----Original Message-----
>>>>> From: geopriv-bounces@ietf.org
>>>>> [mailto:geopriv-bounces@ietf.org] On Behalf Of Rosen, Brian
>>>>> Sent: 26 October, 2009 23:10
>>>>> To: geopriv@ietf.org
>>>>> Subject: [Geopriv] Winterbottom-ecrit-direct considered
>>>>> harmful, at least given our current experiences
>>>>>
>>>>> The notion behind -direct is to not use a service provider to
>>>>> place an emergency call. Instead, the device registers with
>>>>> an Emergency Services Routing Proxy immediately before the
>>>>> call and the call is routed directly from the device to the ESRP.
>>>>>
>>>>> At least at the moment, this is an exceedingly bad idea.
>>>>>
>>>>> Emergency calling authorities like service providers, a lot.
>>>>> They like them because they can hold them accountable, and the
>>>>> service providers don't like theft of service, which is
>>>>> something the emergency call guys have an analog to.
>>>>>
>>>>> The facts are that where unaccountable access to emergency
>>>>> calling is allowed, huge numbers of false calls occur, with no
>>>>> way to stop them, and no way to tell the good ones from the
>>>>> bad ones. This has been seen multiple times where so called
>>>>> "simless" or "unauthenticated" calls are allowed.
>>>>>
>>>>> -direct precisely duplicates simless calling. The only
>>>>> "registration" is an emergency registration, only emergency
>>>>> calls are allowed, any device can make an emergency call if
>>>>> all it has is a (radio) connection to any network.
>>>>> We can predict, with a very high degree of certainty, that the
>>>>> feature will be horribly abused: for example to test that a
>>>>> phone without a service plan works.
>>>>>
>>>>> There have been studies which show tens of thousands of bad
>>>>> calls with zero good ones. Nearly every authority I know
>>>>> where the regulator has insisted on simless calling wants it
>>>>> repealed. There is one counter example I know where the fact
>>>>> that they got a couple, literally, of good calls among the
>>>>> tens of thousands of bad calls was considered enough reason to
>>>>> put up with the problem.
>>>>>
>>>>> Service providers give us information that may be useful: a
>>>>> subscriber name and address for example, which is not
>>>>> spoofable by the caller. They have ways to trace callers,
>>>>> especially bad callers. They don't want their systems abused
>>>>> any more than the emergency calling authorities do.
>>>>>
>>>>> This is a bad idea. A very bad idea. Please stop it.
>>>>>
>>>>> Someday, we may have better ways to prevent abuse. Until we
>>>>> do, service providers are a good thing on an emergency call.
>>>>> We don't want them cut out.
>>>>>
>>>>> Brian
>>>>>
>>>>> _______________________________________________
>>>>> Geopriv mailing list
>>>>> Geopriv@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/geopriv
>>>>>
>>>>
>>>> _______________________________________________
>>>> Ecrit mailing list
>>>> Ecrit@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ecrit
>>>>
>>>> _______________________________________________
>>>> Ecrit mailing list
>>>> Ecrit@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ecrit
>>>
>>>
>>> _______________________________________________
>>> Ecrit mailing list
>>> Ecrit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ecrit
>>
>>
>
>
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit
_______________________________________________
Ecrit mailing list
Ecrit@ietf.org
https://www.ietf.org/mailman/listinfo/ecrit
_______________________________________________
Ecrit mailing list
Ecrit@ietf.org
https://www.ietf.org/mailman/listinfo/ecrit
