> > destination:
> >
> > > Stationary assumption: An algorithm SHOULD obscure the location of a
> > > stationary target. More specifically, when a target does not move, a
> > > location recipient should be unable to determine the known location
> > > using only the reported locations that are output from the algorithm.
> > In particular, the algorithm SHOULD obscure the location even if the
> > attacker knows the details of the protocol and is able to simulate it.
>
> That's a more general constraint. As a general rule, security by
> obscurity doesn't work. I don't see that this is any different.
I think, it only makes explicit something that is
already included.
> If you think that the text is useful, I'd add it as a later note.
I think it is useful. What would be a "later" note?
> > And also I would add a new assumption:
> >
> > Indistinguishability assumption:
> >
> > We call two points "indistinguishable as locations" for an algorithm,
> > if an attacker can not infer from the outputs of the algorithm any
> > information about which of the two points is the location of a static
> > target. In particular, if the algorithm provides the same response for
> > two locations, those locations are indistinguishable. Similarly two
> > points are called "indistinguishable as destinations" if an attacker
> > can not infer from the outputs of the algorithm any information about
> > which of the two points was the destination of a moving target. This
> > is true in particular, if every path that ends in one of the two
> > points can be extended to a path ending on the other point, without
> > changing the outputs of the algorithm.
> >
> > Two points are in the same indistinguishability region if and only if
> > they are indistinguishable as locations and destinations. An algorithm
> > SHOULD provide a description of the indistinguishability regions it
> > defines. A theoretical analysis of the size and shape of the
> > indistinguishability regions of the algorithm is desirable.
Up to jere it is only a definition: any protocol defines an
indistinguishability region, there is no way to avoid it.
(But perhaps, it is not trivial to calculate what is the
indistinguishability region for a given algorithm). It is
close to well known notions of indistinguishability, like
http://en.wikipedia.org/wiki/Ciphertext_indistinguishability
or, even more, the one used in information flow, see for instance:
http://www.cse.chalmers.se/~andrei/jsac.pdf
So this is not solution space.
> That's a more verbose version of what I intended with the second
> paragraph. What you have described is something that is part of
> the solution space more than the goals. I considered having an
> additional assumption for indistinguishable locations, but it's
> not really related to an assumption that an recipient makes, more
> just a product of the algorithm.
And this last part is the requirement. It is not solution
space, it just says that the attacker should gain as little
as possible information from the outputs of the algorithm.
-Jorge
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
