> A couple of comments inline with my individual contributor hat on...
>
> On Feb 8, 2010, at 11:43 PM, Thomson, Martin wrote:
>
> > NEW:
...
> >
> > HELD with identity extensions allows a requester to explicitly
> > provide identification details in the body of a location
> > request. This means that location requests can be made by
> > requesters other than the Device. Third-party location
> > recipients (LRs) are able to make requests that include
> > identifiers to retrieve location information about a particular
> > Device.
>
> I think your re-write loses the point about the case of a Device
> requesting its own location, but the LIS still needing some check
> other than return routability. I suggest the following tweak to the
> second paragraph:
>
> HELD with identity extensions allows a requester to explicitly
> provide identification details in the body of a location
> request. This means that location requests can be made in cases
> where additional Device identity checks are necessary, and in cases
> where the requester is not the Device itself.
Thanks, I assume that you are OK with keeping my last sentence, or did you intend to have that disappear as well?
...
> > NEW:
... The LIS
> > is responsible for ensuring that location information is
> > correct for the Device, which includes ensuring that the Device
> > is correctly identified. </t>
>
> I think this would make more sense if the last sentence said:
>
> The LIS
> is responsible for ensuring that location information is
> correct for the Device, which includes ensuring that the identifier
> uniquely identifies the Device.
That's a little more specific, which is good. "identifier uniquely identifies" is less elegant, but I can't think of a more concise statement that is this accurate. It will suffice.
...
> > NEW:
> > The security and privacy considerations of the base HELD
> > protocol [HELD] are applicable. However, the considerations
> > relating to return routability do not apply to third-party
> > requests. Return routability might not apply to requests from
> > Targets for their own location depending on the anti-spoofing
> > mechanisms employed for the identifier.
>
> Just for clarity, I think the last sentence should say, "Return
> routability may also not apply. . ."
"might" rather than "may" to avoid confusion with normative text, or is this an intentional shading of meaning?
...
> > NEW:
> > ... Neither is it appropriate to authenticate
> > a requester using NAI and allow that requester to provide an
> > unauthenticated MAC address as a Device identifier, even if the
> > MAC address is registered to the NAI.
> >
>
> Since this is about the Target-requesting-its-own-location case, I
> think the last sentence above needs to say that explicitly:
>
> Neither is it appropriate to authenticate a Target using NAI and allow
> that Target to provide an unauthenticated MAC
> address as its own Device identifier, even if the MAC address
> is registered to the NAI.
I think that Device is a better choice than Target, but it's a point well made. Thanks.
>
> Aliss
>
Cheers,
Martin
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
