geopriv@ietf.org: May 2011

Tuesday, May 31, 2011

[Geopriv] AD review: draft-ietf-geopriv-dhcp-lbyr-uri-option-11

Summary: There are a few issues to address with a revised ID before moving to IETF LC

1) The definition of the LocationURI format in section 2.3 says that the definition
of each LuriType field value will define the unit of measurement for the LuriLength
field. The two LuriTypes defined in this document don't provide that definition.

2) It's not clear if a response containing a LuriType=2 frame, but no LuriType=1 frame
is valid, and what a client should do if it recieves one.

3) The registration policy of section 4.3 is not clear. Are you aiming for one of the
well-known policies in section 4.1 of RFC 5226?

4) That said, why is the registry in section 4.3 necessary at all? Prose in the RFC, rather
than a registry, is going to be more useful to the implementer - the approach that
sipcore-location-conveyance takes just under the BNF for Geolocation-header in section
4.1 of that document would work here just as well.

5) Should the refresh recommendation in section 2.3 include some randomization? Without it,
do we have all of the elements that got their location URI from this option at the same
time during an avalance-restart attempting to refresh at the same time?

6) I can't parse the sentence in 2.3 that starts "A Location URI refresh SHOULD be done during
the normal DHCP refresh rate,...". In particular, extracting the expected normative behavior
out of that sentence is difficult. Here's an attempt at a rewrite - does it say what was
intended?:

A client will update is Location URI either as part of the normal DHCP lease renewal, or
through a renewal request sent due to the Valid-For timer reaching the value described
in this document. Note that in the second case, the request could ask only for the LocationURI
option.

7) In section 3.2's first bullet, why is this a SHOULD NOT and not a MUST NOT? Would it be
better if the sentence said "be automatically sent" rather than "be sent"? Similarly, why
is the SHOULD NOT in the second bullet not a MUST NOT?

8) Why does section 3.3 rule out the use of XMPP with pres: URIs?

It looks like -03 was the last version of this document reviewed by DHC. I'm requesting
an updated review.

Nits:

* The one-sentence Abstract needs editing. Currently it talks about "a client's URI of a client".
Please simplify the structure. Breaking it into multiple sentences would help.

* First paragraph of the introduction: Suggest s/associated by/associated with/

* In section 3, instead of "location URIs such as <...> are to be done, ... rather than <...>"
I suggest "For example, creating a location URI such as <sips:...> is better than a location
URI such as <sips:aliceisat...>. The username portion of the first example URI provides no
direct identiy information."

* In section 3, I suggest either deleting the sentence that starts "The entity= discussion",
or replacing it with something like "The considerations for populating the entity attribute
value in a PIDF-LO document are independent from the considerations for avoiding exposing
identification information in the username part of a location URI."

* The end of Section 3.3 points forward to section 4.2, but it should point to 4.3 if we keep
that registry.

* I suggest deleting the sentence that starts "Penetrating an LS is supposed to be hard". Its
a good sentiment, but it's captured in the documents that define an LS, and it doesn't help
the implementer of this document.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Monday, May 30, 2011

Re: [Geopriv] geopriv-policy algorithm constraints and goals

I apologize for not getting back to this sooner. I had planned to spend time in the lead-up to our deadline, but instead find myself struggling to follow the thread.

I had some trouble following the exposition in your text. I actually found your original explanation clearer.

Here's my explanation:
>>>
An algorithm takes sensitive information (the known location) and produces less sensitive information (the reported location).

The goal of the adversary or attacker is to derive information about the known location from the reported location. In order to do this, the adversary makes assumptions.

An algorithm that does not force an adversary to make any assumptions to recover the known location cannot be used.

The goal of the obscuring algorithm is to limit the ability of an adversary to recover the known location. An obscuring algorithm is measured by how effectively it deals with an adversary who makes different assumptions. Since each assumption an adversary makes has a change of being wrong, better algorithms force an adversary to make a greater number or less reliable assumptions in order to discover the known location.
<<<

You've taken a different approach, namely that of looking to the indistinguishability property for support in analysis. As I said earlier, that's a useful tool in analyzing the algorithm. We certainly should analyze from different perspectives. But I think that your criteria need to be much clearer.

I also think that what you are introducing is a new concept, distinct but related to ciphertext indistinguishability. In more traditional cryptosystems, the result space is such that for any input, the probability of any value in the result space is equal (assuming a well selected key). That is, if my cipher produces values in the range from 1 to 10, then without knowing the key, I can't predict the output of the cipher with any better than 10% probability (or negligibly more at best).

Location is different. For a given input, I can know beforehand the set of possible outputs to the algorithm. That changes the rules. You can't apply the ciphertext indistinguishability test directly. You have to set the preconditions of your test very carefully. And I don't think that your text does that.

It's also different in the sense that we're not attempting to completely hide information. A traditional cipher attempts to ensure that the plaintext is practically unrecoverable. We are attempting something that doesn't have exactly the same properties. The "ciphertext" resembles the "plaintext" to a certain extent, which is a property a traditional cipher must not exhibit.

I can't think of a way to describe this new concept without starting from first principles. I tried several ways of defining the concept, but I couldn't come up with anything sufficiently clear.

--Martin

On 2011-05-16 at 01:09:46, Jorge Cuellar wrote:
> On Wed, May 4, 2011 at 8:19 PM, Jorge Cuellar
> <jrcuellarj@googlemail.com> wrote:
> >> I'm not sure that I can map your description of the
> indistinguishability property onto my mental model, but your
> description of the "location indistinguishability" and "destination
> indistinguishability" made sense.
> >>
> >> This discussion might make sense as a preface to the discussion on
> assumptions. Can I request that you draft a few paragraphs that
> introduces the subject and how we're planning to apply it?
> >
> Here are two paragraphs that introduce the "indistinguishability"
> notions and how we want to apply them. Let me know what you think:
>
> Privacy properties (as well as security properties) are related to
> notions of "indistinguishability". Given an attacker model, that
> describes which information an attacker can access, a system is
> privacy preserving (or secure) when the attacker can not recover
> precise private information based on the observable information that
> he can collect. He can not recover the precise information because he
> is unable to distinguish several possible values of that information.
> In our case, the attacker observes the results of the location
> obscuring algorithm at given moments (for simplicity, we assume that
> the attacker can autonomously choose those moments, asking the
> location obscuring algorithm: "Where is now the target?"). Besides
> this access to the algorithm, he may also have some further
> information. The two basic situations are the following two: 1. the
> target is in a certain location, at home or work or wherever, and the
> attacker knows, for some reason, that "the target is in the same
> location as before (or yesterday)" (he knows, "he in at home" or "he
> is at work" 2. The target starts a movement (say, a journey) to a
> remote location, but the attacker knows where the target started his
> journey. In both cases, the attacker can ask "Where is now the
> target?" and obtain a response from the obscuring algorithm.
>
> For the first one, we call two points to be "indistinguishable as
> locations", if an attacker can not infer from the outputs of the
> algorithm any information about which of the two points is the
> location of a static target. In particular, if the algorithm provides
> the same distribution of responses for the two locations, those
> locations are indistinguishable. For the second one, consider the
> paths starting at one given point. Two points B1, B2 are
> "indistinguishable as destinations" if for any path starting in a
> point A and ending in B1 there is a path starting in a point A and
> ending in B2, such that the attacker can not infer from the outputs of
> the algorithm any information about which of the two paths the target
> is travelling and in particular, which destination the target has eventually arrived to.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Thursday, May 26, 2011

[Geopriv] IPR Disclosure: Qualcomm Incorporated's Statement about IPR related to draft-ietf-geopriv-held-measurements-03

Dear Martin Thomson, James Winterbottom:

An IPR disclosure that pertains to your Internet-Draft entitled "Using Device-
provided Location-Related Measurements in Location Configuration Protocols"
(draft-ietf-geopriv-held-measurements) was submitted to the IETF Secretariat on
2011-05-24 and has been posted on the "IETF Page of Intellectual Property Rights
Disclosures" (https://datatracker.ietf.org/ipr/1561/). The title of the IPR
disclosure is "Qualcomm Incorporated's Statement about IPR related to draft-
ietf-geopriv-held-measurements-03."");

The IETF Secretariat

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Tuesday, May 24, 2011

[Geopriv] Fwd: IPR Disclosure: Qualcomm Incorporated's Statement about IPR related to RFC 4119

For your convenience, the referenced patent is titled "Reducing satellite signal interference in a global positioning system receiver"
<http://www.google.com/patents?id=YqsIAAAAEBAJ>

As far as I can tell, this has basically no relationship to the data format defined in RFC 4119. Even if the geolocation fields in a PIDF-LO document were filled from an infringing GPS receiver, it would be the receiver that caused the infringement, not the PIDF-LO encoding.

--Richard

Begin forwarded message:

> From: IETF Secretariat <ietf-ipr@ietf.org>
> Date: May 24, 2011 1:21:11 PM EDT
> To: jon.peterson@neustar.biz
> Cc: gonzalo.camarillo@ericsson.com, rjsparks@nostrum.com, geopriv@ietf.org, rbarnes@bbn.com, acooper@cdt.org, ipr-announce@ietf.org, housley@vigilsec.com
> Subject: IPR Disclosure: Qualcomm Incorporated's Statement about IPR related to RFC 4119
>
> Dear Jon Peterson:
>
> An IPR disclosure that pertains to your RFC entitled "A Presence-based GEOPRIV
> Location Object Format" (RFC4119) was submitted to the IETF Secretariat on
> 2011-05-24 and has been posted on the "IETF Page of Intellectual Property Rights
> Disclosures" (https://datatracker.ietf.org/ipr/1560/). The title of the IPR
> disclosure is "Qualcomm Incorporated's Statement about IPR related to RFC 4119."
>
> The IETF Secretariat
>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] IPR Disclosure: Qualcomm Incorporated's Statement about IPR related to RFC 4119

Dear Jon Peterson:

An IPR disclosure that pertains to your RFC entitled "A Presence-based GEOPRIV
Location Object Format" (RFC4119) was submitted to the IETF Secretariat on
2011-05-24 and has been posted on the "IETF Page of Intellectual Property Rights
Disclosures" (https://datatracker.ietf.org/ipr/1560/). The title of the IPR
disclosure is "Qualcomm Incorporated's Statement about IPR related to RFC 4119."

The IETF Secretariat

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] WG: altitude in RFC 5870

>>>>> Alexander Mayrhofer <alexander.mayrhofer@nic.at> writes:

> All, we've received privately feedback about a potential error in RFC
> 5870. Could someone who is more familiar with reference systems
> review Jose's email, and advice whether we'd need to add errata to
> the RFC?

[…]

> When using WGS84, the altitude is set in relation to the reference
> ELLIPSOID (which is the GRS80 ellipsoid), but not to the GEOID. You
> can see this, for example, in the definition of the CRS with code
> EPSG 4979. In other words, any GPS navigator can offer you the
> "ellipsoid height " over the GRS80 elllipsoid (there are many
> ellipsoids), but no any height referred to the geoid (there is only
> one geoid). This two figures of the earth are completely different.

[…]

Not that I have much expertise in this field, but…

--cut: http://en.wikipedia.org/wiki/World_Geodetic_System --
[…] It comprises a standard coordinate frame for the Earth, a
standard spheroidal reference surface (the datum or reference
ellipsoid) for raw altitude data, and a gravitational equipotential
surface (the geoid) that defines the nominal sea level.
--cut: http://en.wikipedia.org/wiki/World_Geodetic_System --

Thus, WGS-84 defines both a reference ellipsoid and a geoid,
which gives the nominal sea level.

--cut: http://en.wikipedia.org/wiki/Altitude --
[…] As a general definition, altitude is a distance measurement,
usually in the vertical or "up" direction, between a reference datum
and a point or object. The reference datum also often varies
according to the context. Although the term altitude is commonly
used to mean the height above sea level of a location, in geography
the term elevation is often preferred for this usage.
--cut: http://en.wikipedia.org/wiki/Altitude --

Thus, I guess that the term "altitude" may refer either to the
distance above the reference ellipsoid, or to the distance above
the geoid.

Therefore, I find it believable that there may be CRS that rely
on one or another definition of altitude, and I find believable
that there may be equipment that reports the altitude
corresponding to one or another definition of altitude.

So, I believe that no change is necessary to the specification
regarding this issue. However, a note of warning for
implementors to be cautious about the exact nature of the data
to be written in the geo: URI may be desirable.

--
FSF associate member #7257
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] WG: altitude in RFC 5870

All,

we've received privately feedback about a potential error in RFC 5870. Could someone who is more familiar with reference systems review Jose's email, and advice whether we'd need to add errata to the RFC?

thanks,

Alex

----
Von: José Luis García Balboa [mailto:jlbalboa@ujaen.es]
Gesendet: Dienstag, 24. Mai 2011 13:56
An: christian@spanring.eu; Alexander Mayrhofer
Betreff: altitude in RFC 5870

Dear Alexander and Christian:

I'm reading RFC 5870. Congratulatios for this interesant document
I write to you in relation to the altitude information of the geoURI, because I think there is a mistake.

When using WGS84, the altitude is set in relation to the reference ELLIPSOID (which is the GRS80 ellipsoid), but not to the GEOID.
You can see this, for example, in the definition of the CRS with code EPSG 4979.
In other words, any GPS navigator can offer you the "ellipsoid height " over the GRS80 elllipsoid (there are many ellipsoids), but no any height referred to the geoid (there is only one geoid). This two figures of the earth are completely different.

In page 5 it is said that "altitudes below the WGS-84 reference geoid". This is incorrect. It should say "belo the WGS-84 reference ellipsoid".
In page 10 it is said that "altitudes are relative to the WGS-84 reference geoid rather than Earth's surface". This is also incorrect.

I think this should be correct in a future revision of RFC 5870 (or perhaps any other people has already warned you about this).

Best regards,

**************************************************
José Luis García Balboa

Dpto. Ingeniería Cartográfica, Geodésica y Fotogrametría
Escuela Politécnica Superior. Edf. A-3. Despacho 343.
Campus Las Lagunillas. Universidad de Jaén. 23071 JAÉN (Spain).

Tlf/Fax: (+34) 953 212844 / (+34) 953 212855
Correo electrónico: jlbalboa@ujaen.es
Web: http://coello.ujaen.es
**************************************************
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Sunday, May 22, 2011

Re: [Geopriv] geopriv-policy plans

Processing is the software that Robert and I have used to visualize the algorithms.

Alternatively, you can take a copy of the code from this page:

http://held-location.sourceforge.net/js_geoshape/maptest.html

It's all pretty straightforward to retrieve and use, the algorithm is implemented in fuzz.js. All you need to do is replace that file with a new one that defines a GeoShape.Fuzzer class. The ``GeoShape.Fuzzer.fuzz(shape : GeoShape) : GeoShape.Circle'' method is the only method that the rest of the code uses directly.

For the most part, these are really only helpful for conceptualizing the algorithm, understanding how it works. They wont be a great deal of help in performing an analysis.

I linked to the processing examples here:

http://www.ietf.org/mail-archive/web/geopriv/current/msg09000.html

I can send more privately if you want to explore more.

--Martin

On 2011-05-20 at 20:23:50, Jorge Cuellar wrote:
> Hi Martin,
>
> as we spoke in Prague, I have now a student who will implement some
> variants of the geopriv protocol. You mentioned we could use your (?)
> GUI to run tests and display the results (and perhaps also compare
> different solutions?).
>
> Shall we simply use directly
>
> http://processing.org/
>
> or should we use a particular SW that you have or host?
>
> Best,
>
> Jorge

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Friday, May 20, 2011

Re: [Geopriv] geopriv-policy plans

Hi Martin,

as we spoke in Prague, I have now a student who will implement some
variants of the geopriv protocol. You mentioned we could use your (?)
GUI to run tests and display the results (and perhaps also compare
different solutions?).

Shall we simply use directly

http://processing.org/

or should we use a particular SW that you have or host?

Best,

Jorge
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Sunday, May 15, 2011

Re: [Geopriv] geopriv-policy algorithm constraints and goals

On Wed, May 4, 2011 at 8:19 PM, Jorge Cuellar <jrcuellarj@googlemail.com> wrote:
>> I'm not sure that I can map your description of the indistinguishability property onto my mental model, but your description of the "location indistinguishability" and "destination indistinguishability" made sense.
>>
>> This discussion might make sense as a preface to the discussion on assumptions. Can I request that you draft a few paragraphs that introduces the subject and how we're planning to apply it?
>
Here are two paragraphs that introduce the "indistinguishability"
notions and how we want to apply them. Let me know what you think:

Privacy properties (as well as security properties) are related to
notions of "indistinguishability". Given an attacker model, that
describes which information an attacker can access, a system is
privacy preserving (or secure) when the attacker can not recover
precise private information based on the observable information that
he can collect. He can not recover the precise information because he
is unable to distinguish several possible values of that information.
In our case, the attacker observes the results of the location
obscuring algorithm at given moments (for simplicity, we assume that
the attacker can autonomously choose those moments, asking the
location obscuring algorithm: "Where is now the target?"). Besides
this access to the algorithm, he may also have some further
information. The two basic situations are the following two: 1. the
target is in a certain location, at home or work or wherever, and the
attacker knows, for some reason, that "the target is in the same
location as before (or yesterday)" (he knows, "he in at home" or "he
is at work" 2. The target starts a movement (say, a journey) to a
remote location, but the attacker knows where the target started his
journey. In both cases, the attacker can ask "Where is now the
target?" and obtain a response from the obscuring algorithm.

For the first one, we call two points to be "indistinguishable as
locations", if an attacker can not infer from the outputs of the
algorithm any information about which of the two points is the
location of a static target. In particular, if the algorithm provides
the same distribution of responses for the two locations, those
locations are indistinguishable. For the second one, consider the
paths starting at one given point. Two points B1, B2 are
"indistinguishable as destinations" if for any path starting in a
point A and ending in B1 there is a path starting in a point A and
ending in B2, such that the attacker can not infer from the outputs of
the algorithm any information about which of the two paths the target
is travelling and in particular, which destination the target has
eventually arrived to.
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Monday, May 9, 2011

Re: [Geopriv] geopriv-policy algorithm constraints and goals

Hi Hannes,

On 2011-05-10 at 12:33:39, Hannes Tschofenig wrote:
> > Each algorithm MUST be assigned a label. This label is used to
> identify the algorithm. Algorithm labels are added to the location
> obscuring algorithm registry (see Section x.x).
> >
> I would drop this.

Sure.

> > The algorithm MUST accept known locations with uncertainty and
> produce reported locations with uncertainty that encloses the known
> location at that time. That is, the reported location is no less
> correct than the known location.
>
> See my other mail. I would at maximum go as far as saying "SHOULD"
> here.

In your other mail you say two different things on this topic:
> I am OK with the statement that the reported location must enclose the known location.

Keeping in mind that the only way to provide any level of assurance that the reported location is "accurate" is to incorporate the uncertainty in the input.

I can handle a "SHOULD" here, but we then need to include some sort of guidance on what that really means with respect to accuracy then.

> > Any obscuring algorithm MUST accept a single input parameter of a
> distance in meters. Any other tuning parameters for the algorithm
> MUST be fixed in the definition of the algorithm.
> >
> I am not sure why this is a useful requirement as well. I believe what
> you really want to express with this requirement is that the algorithm
> has to be simple to use for the end user. When we came up with the
> idea that the user would be presenting only a single value (in the
> form of distance in meters) we thought that this would be simple enough.
> However, none of us is a user interface expert. Hence, I believe it is
> not useful to put artificial constraints on the algorithm. Imagine
> that someone comes up with a super great user interface but
> unfortunately that algorithm would require more parameters then this
> should still be allowed.

Allowing for other types of parameters will make the construction of the policy more difficult, but I'm not opposed to doing that. In that respect, it's probably best to each algorithm explicitly define its parameters rather than having discrete labels. It's harder to build and implement, but we could do that.

> > Continuous movement assumption:
> > An algorithm SHOULD obscure the location of a moving target.
> More specifically, when a target moves, a location recipient should be
> unable to determine the known location of the target at any point in
> time using only the reported locations that are output from the
> algorithm.
>
> While the adversary will be unable to determine the exact information
> about the location of the target it will learn that the target moves
> and in which direction (if we additionally assume that the algorithm
> does not lie).
> Then, with additional information (which is quite likely to be
> available) there is information about which path the target may have
> taken.

It depends on the algorithm as to how much information about movement is revealed. A coarse estimate of direction (and maybe even speed) might be derived, but that might not directly translate to revealing a path.

With enough additional information, it would be unnecessary to attack the algorithm. Ultimately, the question is how much information we are allowing an adversary to possess before the algorithm is useless. So you'll have to be more specific.

> > Frequent destination assumption:
> > An algorithm SHOULD obscure the details of a frequently visited
> location or path. For a destination that is regularly visited, the
> algorithm cannot provide the precise location of the frequented
> location.
> >
> > Any description SHOULD indicate whether the algorithm prevents a
> recipient from identifying whether different reported locations
> correspond to the same known location, and under what circumstances.
> This would permit a recipient to learn that the same location is being
> visited, even if the identity of that location is obscured.
> >
> I am not sure whether I fully understand the purpose of these two
> requirements.
>
> If a grid is large enough then there will be no path visible. In the
> other case it will be. Since the grid is a configurable parameter
> every algorithm will fail to fulfill this requirement.
>
> I would exclude these further requirements below from the current
> discussion. We should only work on these once we get a base algorithm
> finished. I have my doubt that the industry is asking us to work on
> these given the deployment status of the location obfuscation today.
> From your description it seems that they fall under the same category
> as all other requirements. I disagree with that. This is also a more
> advanced requirement that should be labelled as a MAY, if at all
> listed.

These are (an attempt at describing) precisely the problems that Jorge wanted included. That is, I don't want an adversary to learn where I live based on my obscured location that he receives every evening.

The second part is a corollary to this. That is, I want an adversary to have some uncertainty about whether I'm even going to the same place each evening. That is, the reported location he got yesterday and the one he gets today should not give the adversary any (significant) indication that they apply to the same known location.

Obviously, the simple algorithm we originally devised (all variants) failed this test. If you continually returned to the same known location, the reported location was obscured differently each time. That would allow an adversary to make a simple assumption (that these are really the same place) and recover that location with low uncertainty by intersecting all the reported locations.

--Martin

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] geopriv-policy algorithm constraints and goals

Hi Martin,

> With the idea that we want -geopriv-policy finished sometime this millennium, here's my first, rough attempt at describing constraints and goals for location obscuring.

We have all contributed our share to the delay.

> ----
>
> The purpose of a location obscuring algorithm is to provide a location recipient (LR) with location information of reduced quality. The intent is to provide an LR with location information that is correct, but insufficient to identify the known location without a chosen amount of uncertainty.
>
> The obscuring algorithm takes a series of _known locations_, which might have greater accuracy than the recipient is permitted to receive. The obscuring process produces a series of _reported locations_.
>
> Algorithm Constraints
>
> Each algorithm MUST be assigned a label. This label is used to identify the algorithm. Algorithm labels are added to the location obscuring algorithm registry (see Section x.x).
>
I wonder why it is important to indicate that. It would sound that a registry is a super new thing but we are using algorithm registries already forever.
I would drop this.

> The algorithm MUST accept known locations with uncertainty and produce reported locations with uncertainty that encloses the known location at that time. That is, the reported location is no less correct than the known location.

See my other mail. I would at maximum go as far as saying "SHOULD" here.

>
> Any obscuring algorithm MUST accept a single input parameter of a distance in meters. Any other tuning parameters for the algorithm MUST be fixed in the definition of the algorithm.
>
I am not sure why this is a useful requirement as well. I believe what you really want to express with this requirement is that the algorithm has to be simple to use for the end user. When we came up with the idea that the user would be presenting only a single value (in the form of distance in meters) we thought that this would be simple enough. However, none of us is a user interface expert. Hence, I believe it is not useful to put artificial constraints on the algorithm. Imagine that someone comes up with a super great user interface but unfortunately that algorithm would require more parameters then this should still be allowed.

> Algorithm Goals
>
> In assessing any algorithm, the information that a recipient can recover determines how effective that algorithm is. When a recipient (or adversary) makes assumptions [Duckham05] about the movement of the target, they may be able to recover more information than is intended.
>
> The assumptions that a recipient is forced to make to recover information determines how effective an algorithm is. The more assumptions that are necessary, the more difficult it is to reliably recover the known location. While it cannot be assumed that the complexity of applying multiple assumptions would prevent a recipient from applying those assumptions, the probability that a given set of assumptions is incorrect increases with number.
>
> The following assumptions are considered important for the development of an algorithm that obscures location. These assumptions are considered to have a high probability of being correct and are therefore the most important assumptions to protect against.
>
> Stationary assumption:
> An algorithm SHOULD obscure the location of a stationary target. More specifically, when a target does not move, a location recipient should be unable to determine the known location using only the reported locations that are output from the algorithm.
>
> Continuous movement assumption:
> An algorithm SHOULD obscure the location of a moving target. More specifically, when a target moves, a location recipient should be unable to determine the known location of the target at any point in time using only the reported locations that are output from the algorithm.

While the adversary will be unable to determine the exact information about the location of the target it will learn that the target moves and in which direction (if we additionally assume that the algorithm does not lie).
Then, with additional information (which is quite likely to be available) there is information about which path the target may have taken.

>
> Frequent destination assumption:
> An algorithm SHOULD obscure the details of a frequently visited location or path. For a destination that is regularly visited, the algorithm cannot provide the precise location of the frequented location.
>
> Any description SHOULD indicate whether the algorithm prevents a recipient from identifying whether different reported locations correspond to the same known location, and under what circumstances. This would permit a recipient to learn that the same location is being visited, even if the identity of that location is obscured.
>
I am not sure whether I fully understand the purpose of these two requirements.

If a grid is large enough then there will be no path visible. In the other case it will be. Since the grid is a configurable parameter every algorithm will fail to fulfill this requirement.

I would exclude these further requirements below from the current discussion. We should only work on these once we get a base algorithm finished. I have my doubt that the industry is asking us to work on these given the deployment status of the location obfuscation today. From your description it seems that they fall under the same category as all other requirements. I disagree with that. This is also a more advanced requirement that should be labelled as a MAY, if at all listed.

> High accuracy assumption:
> An algorithm SHOULD obscure location when the known location has low uncertainty or a high frequency update rate. A theoretical analysis of the algorithm based on a continuous series of perfect known locations is desirable.
>

> An algorithm may also provide protection for the speed or velocity of a target. It is desirable that the precise speed of a target cannot be easily learned. The following assumptions are also important in assessing an algorithm:
>
> Constant velocity assumption:
> An algorithm SHOULD obscure the speed of a target under the assumption of constant velocity or constant speed along a predefined path (such as a road).
>

> Other assumptions that a location recipient might use to improve their ability to recover a known location might include: upper and lower bounds to speed or acceleration, constrained movement along specific thoroughfares, or inability to be located in areas that are designated inaccessible.
>

Ciao
Hannes

> Discussion of any additional assumptions that are either rendered ineffective or especially effective is useful in evaluating an algorithm.
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] geopriv-policy plans

Hi Martin

> Some of the goals and constraints that we discussed (and may have agreed on to varying degrees) were:
>
> Constraints
>
> - The algorithm must take only one policy input: a distance in meters. Other parameters need to be fixed in the definition of the algorithm.

This sounds strange. If you only demand a single input then there are no other parameters.
So, I guess you are saying that there is at least one parameter, namely distance in meters.

>
> - The algorithm must describe what to do with uncertainty on the input location(s).

Is it OK to say that the input to the algorithm is a point even if that input parameter was computed from some other location shape prior to sending it to the input of the algorithm.
I am trying to point out that many of the use cases we will see today will use a point as approximation even though there are theoretically all sorts of complex location shapes.

>
> - The algorithm must be accurate [duckham05] - that is, the reported location must enclose the known location at the time that it is reported
>
I am OK with the statement that the reported location must enclose the known location.

> Goals
>
These goals are all phrased as "should". It would therefore be fine to have an algorithm that supports none of these.

> - The algorithm should protect a static known location.
>
I would drop the "known" phrase. I doubt that the algorithm can provide against "unknown" location.

> - The algorithm should protect the known location when the target moves. I admit that this needs to be more specific.
>
> - The algorithm should protect the known location when the target returns to the same approximate location multiple times.

I guess this is a sub-category of mobility.
>
> - The algorithm should limit the knowledge that an adversary gains about known locations at different times or locations, if an adversary learns of a known location for a given reported location. That is, if an adversary finds a known location, they can't use that information to (perfectly) derive known locations from other reported locations.

While it is OK to say "limit the knowledge the adversary can gain" but we have to keep some fundamental limitations in mind.

Ciao
Hannes

>
> --Martin
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Thursday, May 5, 2011

Re: [Geopriv] Comments on draft-ietf-geopriv-policy-uri-00

On 2011-05-06 at 10:52:16, Ben Campbell wrote:
>
> On May 5, 2011, at 7:12 PM, Winterbottom, James wrote:
>
> >> 3. The draft talks quite a bit about the lifetime and validity of
> >> policy URLs. But (unless I missed it) it doesn't say as much about
> >> the scope and lifetime of the policy documents referenced by such
> >> URLs. I think, in order to get the security properties I think you
> >> contemplate for the policy URIs, you must have a distinct policy
> >> object for each URI. That is, two policy URIs for the same device
> are
> >> not aliases for the same policy document. If the policy docs are
> >> the same, it's just a coincidence, and changing one does not affect
> >> the other. Furthermore, each policy doc is only meaningful for the
> >> Location URI associated with the policy URI. If the LS mints a new
> >> Location URI and associated Policy URI, the referenced policy
> >> document is always a _new_ one set to the "default policy". Is this
> the idea?
> >
> >
> > [AJW] Yes this is the idea. Take a residential broadband situation
> for example, all device behind a residential gateway performing NAT
> will appear the same the LS, but clearly there maybe several different
> devices. In this case each time a new location URI is requested, a new
> policy URI is minted. Certainly I don't want my daughter changing my
> policy.
> >
> >
>
> I think we are on the same page here, but I want to emphasize I'm
> talking about the referenced policy document, not the policy URL. So
> as long as, for every new location URI you get a new policy URI and a
> new policy _document_ that only applies to that particular URI pair,
> then I think it's fine.

I find that it's helpful to distinguish between the resource and the thing that identifies it. In all these cases, it is actually a new _resource_, not just a new identifier. Naturally, that means a different identifier.

--Martin
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Comments on draft-ietf-geopriv-policy-uri-00

> > [AJW] Yes this is the idea. Take a residential broadband situation for
> example, all device behind a residential gateway performing NAT will
> appear the same the LS, but clearly there maybe several different devices.
> In this case each time a new location URI is requested, a new policy URI
> is minted. Certainly I don't want my daughter changing my policy.
> >
> >
>
> I think we are on the same page here, but I want to emphasize I'm talking
> about the referenced policy document, not the policy URL. So as long as,
> for every new location URI you get a new policy URI and a new policy
> _document_ that only applies to that particular URI pair, then I think
> it's fine.
>
[AJW] Thanks for making the distinction, and I think we probably need to make it clear that this is a mutual one to one relationship. A policy URI is associated with at most one policy document, and a policy document is identified by only one policy URI.

> >
> >
> >> My concern is that if an attacker somehow gets ahold of a policy URL,
> >> perhaps by gaining physical access to my device, he can't make
> >> _persistent_ changes to policy. (I'm assuming for the sake of argument
> >> such access doesn't also give him access to change the "default")
> >
> > [AJW] I can't speak for the other authors, but I confess that I had not
> given much thought to stolen or hacked devices. The Policy URI is minted
> at the same time as the location URI, so to my mind these two things are
> linked. Having a persistent policy after the location URI has expired
> doesn't make a lot of sense to me, especially if the policy server doesn't
> have a real user of device identity associated with it beyond a URI. So
> maybe I am missing the point, but I am a little confused about what the
> actual concern is here.
> >
>
> Your residential gateway example is probably more compelling than my
> stolen device example.
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Comments on draft-ietf-geopriv-policy-uri-00

On May 5, 2011, at 7:12 PM, Winterbottom, James wrote:

>> 3. The draft talks quite a bit about the lifetime and validity of policy
>> URLs. But (unless I missed it) it doesn't say as much about the scope and
>> lifetime of the policy documents referenced by such URLs. I think, in
>> order to get the security properties I think you contemplate for the
>> policy URIs, you must have a distinct policy object for each URI. That is,
>> two policy URIs for the same device are not aliases for the same policy
>> document. If the policy docs are the same, it's just a coincidence, and
>> changing one does not affect the other. Furthermore, each policy doc is
>> only meaningful for the Location URI associated with the policy URI. If
>> the LS mints a new Location URI and associated Policy URI, the referenced
>> policy document is always a _new_ one set to the "default policy". Is this
>> the idea?
>
>
> [AJW] Yes this is the idea. Take a residential broadband situation for example, all device behind a residential gateway performing NAT will appear the same the LS, but clearly there maybe several different devices. In this case each time a new location URI is requested, a new policy URI is minted. Certainly I don't want my daughter changing my policy.
>
>

I think we are on the same page here, but I want to emphasize I'm talking about the referenced policy document, not the policy URL. So as long as, for every new location URI you get a new policy URI and a new policy _document_ that only applies to that particular URI pair, then I think it's fine.

>
>
>> My concern is that if an attacker somehow gets ahold of a policy URL,
>> perhaps by gaining physical access to my device, he can't make
>> _persistent_ changes to policy. (I'm assuming for the sake of argument
>> such access doesn't also give him access to change the "default")
>
> [AJW] I can't speak for the other authors, but I confess that I had not given much thought to stolen or hacked devices. The Policy URI is minted at the same time as the location URI, so to my mind these two things are linked. Having a persistent policy after the location URI has expired doesn't make a lot of sense to me, especially if the policy server doesn't have a real user of device identity associated with it beyond a URI. So maybe I am missing the point, but I am a little confused about what the actual concern is here.
>

Your residential gateway example is probably more compelling than my stolen device example.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Comments on draft-ietf-geopriv-policy-uri-00

Thanks for the review Ben.

Comments inline.

Cheers
James

> -----Original Message-----
> From: Ben Campbell [mailto:ben@nostrum.com]
> Sent: Friday, 6 May 2011 9:21 AM
> To: draft-ietf-geopriv-policy-uri.all@tools.ietf.org; GEOPRIV
> Subject: Comments on draft-ietf-geopriv-policy-uri-00
>
> Hi,
>
> Here are some WGLC comments on draft-ietf-geopriv-policy-uri-00. Please
> note that, like some others commenting, that I have not followed this
> draft prior to Richard asking if I could review it. I did a brief scan of
> the recent emails, but I apologize in advance if I beat any dead horses,
> ask questions that have already been answered, or show complete ignorance
> of the location conveyance architecture.
>
> General Comments
>
> 1. I find the document very readable and understandable. That's
> refreshing, given the potential complexity of the problem space :-)
>
> 2. I share some of the concerns about possession of a policy URI equaling
> authorization. I think the draft does a good job of discussing the
> security considerations of handing around a shared secret like this. My
> principle concern is the implied assumption that anyone with access to the
> device is automatically a rule maker. I realize there might not be much
> choice, given that someone with control of a device probably knows where
> that device is and could tell anyone he wants. But some use cases:
>
> -- My kid has a phone with location functions. Can he turn of my (his
> parent's) access?
> -- A thief has _my_ phone. Can he turn off my ability to track it? (short
> of turning it off, of course)
>
> Now, I realize those are mostly client behavior questions, not protocol
> issues--I just want to make sure they've been thought through. And my
> concern here is very much affected by my next concern
>
> 3. The draft talks quite a bit about the lifetime and validity of policy
> URLs. But (unless I missed it) it doesn't say as much about the scope and
> lifetime of the policy documents referenced by such URLs. I think, in
> order to get the security properties I think you contemplate for the
> policy URIs, you must have a distinct policy object for each URI. That is,
> two policy URIs for the same device are not aliases for the same policy
> document. If the policy docs are the same, it's just a coincidence, and
> changing one does not affect the other. Furthermore, each policy doc is
> only meaningful for the Location URI associated with the policy URI. If
> the LS mints a new Location URI and associated Policy URI, the referenced
> policy document is always a _new_ one set to the "default policy". Is this
> the idea?

[AJW] Yes this is the idea. Take a residential broadband situation for example, all device behind a residential gateway performing NAT will appear the same the LS, but clearly there maybe several different devices. In this case each time a new location URI is requested, a new policy URI is minted. Certainly I don't want my daughter changing my policy.

> My concern is that if an attacker somehow gets ahold of a policy URL,
> perhaps by gaining physical access to my device, he can't make
> _persistent_ changes to policy. (I'm assuming for the sake of argument
> such access doesn't also give him access to change the "default")

[AJW] I can't speak for the other authors, but I confess that I had not given much thought to stolen or hacked devices. The Policy URI is minted at the same time as the location URI, so to my mind these two things are linked. Having a persistent policy after the location URI has expired doesn't make a lot of sense to me, especially if the policy server doesn't have a real user of device identity associated with it beyond a URI. So maybe I am missing the point, but I am a little confused about what the actual concern is here.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Comments on draft-ietf-geopriv-policy-uri-00

Hi,

Here are some WGLC comments on draft-ietf-geopriv-policy-uri-00. Please note that, like some others commenting, that I have not followed this draft prior to Richard asking if I could review it. I did a brief scan of the recent emails, but I apologize in advance if I beat any dead horses, ask questions that have already been answered, or show complete ignorance of the location conveyance architecture.

General Comments

1. I find the document very readable and understandable. That's refreshing, given the potential complexity of the problem space :-)

2. I share some of the concerns about possession of a policy URI equaling authorization. I think the draft does a good job of discussing the security considerations of handing around a shared secret like this. My principle concern is the implied assumption that anyone with access to the device is automatically a rule maker. I realize there might not be much choice, given that someone with control of a device probably knows where that device is and could tell anyone he wants. But some use cases:

-- My kid has a phone with location functions. Can he turn of my (his parent's) access?
-- A thief has _my_ phone. Can he turn off my ability to track it? (short of turning it off, of course)

Now, I realize those are mostly client behavior questions, not protocol issues--I just want to make sure they've been thought through. And my concern here is very much affected by my next concern

3. The draft talks quite a bit about the lifetime and validity of policy URLs. But (unless I missed it) it doesn't say as much about the scope and lifetime of the policy documents referenced by such URLs. I think, in order to get the security properties I think you contemplate for the policy URIs, you must have a distinct policy object for each URI. That is, two policy URIs for the same device are not aliases for the same policy document. If the policy docs are the same, it's just a coincidence, and changing one does not affect the other. Furthermore, each policy doc is only meaningful for the Location URI associated with the policy URI. If the LS mints a new Location URI and associated Policy URI, the referenced policy document is always a _new_ one set to the "default policy". Is this the idea?

My concern is that if an attacker somehow gets ahold of a policy URL, perhaps by gaining physical access to my device, he can't make _persistent_ changes to policy. (I'm assuming for the sake of argument such access doesn't also give him access to change the "default")

Specifics Comments:

-- Section 3, Note: "...Location Server is also a Rule Holder."

Do you mean to require the rule holder and LS to be collocated? I assume not since this is about as non-normative of a statement as you can make.

Editorial Comments:

-- idnits complains about some outdated draft references. I assume those will all get fixed just-in-time

-- Section 1, paragraph 3: "...inform the Location Server with policy..."

... of policy?

-- Section 3.2, first paragraph, last sentence: "...MUST be different to the location URI"

different "than"?

-- section 6, Acknowledgments

Any reason not to put this closer to the end? I don't know if it's wrong per SE, but it seems odd to find it in the middle.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Wednesday, May 4, 2011

Re: [Geopriv] Policy-uri comments

I was going to respond to this thread with a more detailed response, but it looks like you have everything in hand.

I did follow up on logging, in particular intermediary logging. The conclusion: our standing advice on using HTTP over TLS stands - intermediaries will log if you allow them to and TLS limits what they can log.

--Martin

On 2011-05-05 at 02:24:24, Ted Hardie wrote:
> On Wed, May 4, 2011 at 9:20 AM, Richard L. Barnes <rbarnes@bbn.com>
...

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] geopriv-policy algorithm constraints and goals

> I'm not sure that I can map your description of the indistinguishability property onto my mental model, but your description of the "location indistinguishability" and "destination indistinguishability" made sense.
>
> This discussion might make sense as a preface to the discussion on assumptions. Can I request that you draft a few paragraphs that introduces the subject and how we're planning to apply it?

Sure, I will (by the latest, until the 12th of Mai).
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] draft-ietf-geopriv-policy-uri-00 WGLC

These seem like excellent issues to address in a future update to this document that specifies a second possible URI scheme. I don't think we need to address extensibility or multi-scheme issues in this document.

It seems like the URI scheme of the policy URI should provide enough information for clients to tell whether they've gotten a URI they support, so an extension would need just to (1) define the alternative policy URI system, and (2) change the requirement that the policy URI MUST be an HTTP URI.

With those considerations, I think the only thing we need to do here is make sure that clients for this document fail safely if they get a non-HTTP URI. Proposed text:
FROM
"
4.3. Client Processing

It is possible that this document will be updated to allow the use of
policy URIs that use protocols other than the HTTP-based protocol
described above. To ensure that they fail safely when presented with
such a URI, clients implementing this specification MUST verify that
a policy URI received from either HELD or DHCP uses either the
"http:" or "https:" scheme. If the URI does not match those schemes,
then the client MUST discard the URI and behave as if no policy URI
was provided.
"

On May 3, 2011, at 12:13 AM, Adam Roach wrote:

> On 5/2/11 3:48 PM, Ted Hardie wrote:
>> On Thu, Apr 28, 2011 at 10:07 PM, Thomson, Martin <
>> I'm inclined to classify this as an optimization. So three reasons not to add the parameter:
>> 1. laziness
>> 2. it's probably not too much extra load to create a resource for most types of resources, especially if you optimize for the case where the resource isn't accessed
>> 3. DHCP won't have any hinting
>>
>>
>> It strikes me that the PUT/DELETE nature of client management of these resources creates a bit of a problem with this multiple-URI approach. If the user has two different clients from which policy updates may come, updates PUT from one must be synchronized to the other URI by some back-end process, or your risk silly states where the user has updated policy using one URI, but the policy accessed from a different client using a different scheme gets old data because the URIs are distinct and no PUT occurred to that URI.
>
> That's a very good point. We would need to add text around this issue.
>
>> Did I miss a section where this was described?
>
> No, because the current version of the document makes certain strong assumptions around "HTTP now, HTTP forever." This whole conversation stems from my feedback that we should make the approach more extensible, even if we don't describe other protocols right now. So you won't find any related text in the document at this time.
>
> /a
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Policy-uri comments

On Wed, May 4, 2011 at 9:20 AM, Richard L. Barnes <rbarnes@bbn.com> wrote:

> This works. I would add "Re-use of policy URIs with subsequent location URIs is NOT RECOMMENDED even if the rule maker and location are the same." That may be me being paranoid, so I'm okay if you prefer to leave it out. I can't really see this being done by anyone following the spirit of the other recommendations, but paranoia is paranoia, you know?

I think it would actually be simpler to say that the location server MUST generate a new policy URI for a new location URI. Since that's how I would implement it anyway :)

Even better.

thanks,

Ted

Re: [Geopriv] Policy-uri comments

Thanks for following up. I'll implement the agreed changes. Two quick reactions:

> Proposed text:
> "
> A policy URI is only valid while the corresponding location URI set is valid. A location server MUST NOT respond to any requests to a policy URIs once the corresponding location URI set has expired. This expiry time is specified by the 'expires' attribute in the HELD locationResponse or the 'Valid-For' LuriType in DHCP.
> "
>
> This works. I would add "Re-use of policy URIs with subsequent location URIs is NOT RECOMMENDED even if the rule maker and location are the same." That may be me being paranoid, so I'm okay if you prefer to leave it out. I can't really see this being done by anyone following the spirit of the other recommendations, but paranoia is paranoia, you know?

I think it would actually be simpler to say that the location server MUST generate a new policy URI for a new location URI. Since that's how I would implement it anyway :)

> Ok, I think I understand you better now. I can agree that overloading DELETE makes sense, especially
>
> Was this "does not make sense"?

Yep.

--Richard
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Policy-uri comments

In-line responses,

Ted

On Wed, May 4, 2011 at 1:21 AM, Richard L. Barnes <rbarnes@bbn.com> wrote:

> Then I suggest that the policy URI "age out" over time. As it stands, the policy URI is created by the location server and effectively never changes during the validity interval set for that location. Whenever it is used to get or set policy through a proxy (like a friendly interception proxy, let's say), it may be revealing itself. If the validity interval is long, this may be a problem (my employer may get or my ex-employer may retain access to the policy URI for my "home" location).
>
> I am assuming that a location may be fairly long lived-e.g. created by my cable company for my "home" location and re-used with its policy URI for long periods. If the validity intervals are short and the LS does not re-use the policy URI when a new location URI for that same location is created, this is less of a problem (this latter problem may require some thought in the inputs to a hash-based mechanism for the creation of a policy URI, especially if an LS re-used the random entropy in a new run. It can neither use the location URI nor the location description, I'd guess).

We should keep in mind that there are at least three different validity intervals here:
1. The validity interval of the location value
2. The validity interval of the location URI
3. The validity interval of the policy URI

Would it address your concern to require (2) and (3) to be equal? This seems sensible and implementable to me. Proposed text:
"
A policy URI is only valid while the corresponding location URI set is valid. A location server MUST NOT respond to any requests to a policy URIs once the corresponding location URI set has expired. This expiry time is specified by the 'expires' attribute in the HELD locationResponse or the 'Valid-For' LuriType in DHCP.

"

This works. I would add "Re-use of policy URIs with subsequent location URIs is NOT RECOMMENDED even if the rule maker and location are the same." That may be me being paranoid, so I'm okay if you prefer to leave it out. I can't really see this being done by anyone following the spirit of the other recommendations, but paranoia is paranoia, you know?

> > It's also not clear whether a location server that allows clients to inspect policy but not update actually meets the goals of this document, since it either then requires some other side-loading mechanism or is incomplete.
>
> Being pragmatic about this, we can't really legislate what policies LS provider will apply. We could have a requirement that servers allow changes to policy, but that just risks that portion of the spec being unused. IMO, even being able to inspect policy is an improvement over the current state of the art.
>
>
> No, but we can say that it is recommended for cases where there is no other way to set policy.

Proposed text:
FROM

"
A Location Server SHOULD allow all requests, but it MAY deny certain requests based on local policy. For instance, a Location Server might allow clients to inspect policy (GET), but not to update it (PUT).
"

TO
"
A Location Server MUST allow GET requests to allow clients to inspect policy. A Location Server SHOULD support PUT and DELETE requests to allow clients to control policy, especially if clients cannot set policy through other means.

"

Works for me.

> Overloading removing the policy URI with "delete access to the resource" seems like an un-needed optimization to me. As a client writer, I'd update the policy with a validity interval that is gone, set provide-location to false or something similar. That's just my personal take on this obviously, and if other folks feel that this is the optimization to make, I can live with it.

Ok, I think I understand you better now. I can agree that overloading DELETE makes sense, especially

Was this "does not make sense"?

in light of the fact that we have two other ways of invalidating location URIs (policy-based validity intervals and the global expiration of the URI). It still seems like an LS shouldn't respond to requests for the location URI while there's no policy document (after a DELETE).

Agreed.

Proposed text:
FROM
"
A DELETE request to a policy URI is a request to delete the referenced policy document and terminate access to the protected resource. If the request is authorized, then the Location Server MUST delete the policy referenced by the URI and disallow any further access to the location resources it governs.

A location URI can thus become invalid in three ways: By the expiration of a validity interval in policy, by the removal of a policy document with a DELETE request, or by the expiry of the HELD-specified validity interval. The former is temporary, since the policy URI can be used to update the validity interval in the policy; the latter two are permanent.
"

TO
"
A DELETE request to a policy URI is a request to delete the referenced policy document. If the request is authorized, then the Location Server MUST delete the policy referenced by the URI and disallow access to the location URIs it governs until a new policy document has been put in place via a PUT request.

A location URI can thus become invalid in three ways: By the expiration of a validity interval in policy, by the removal of a policy document with a DELETE request, or by the expiry of the LCP-specified validity interval. The former two are temporary, since the policy URI can be used to update the policy. The latter one is permanent, since the expiry causes the policy URI to be invalidated as well.
"

This works for me.

Thanks,

Ted

Re: [Geopriv] Policy-uri comments

> Then I suggest that the policy URI "age out" over time. As it stands, the policy URI is created by the location server and effectively never changes during the validity interval set for that location. Whenever it is used to get or set policy through a proxy (like a friendly interception proxy, let's say), it may be revealing itself. If the validity interval is long, this may be a problem (my employer may get or my ex-employer may retain access to the policy URI for my "home" location).
>
> I am assuming that a location may be fairly long lived-e.g. created by my cable company for my "home" location and re-used with its policy URI for long periods. If the validity intervals are short and the LS does not re-use the policy URI when a new location URI for that same location is created, this is less of a problem (this latter problem may require some thought in the inputs to a hash-based mechanism for the creation of a policy URI, especially if an LS re-used the random entropy in a new run. It can neither use the location URI nor the location description, I'd guess).

We should keep in mind that there are at least three different validity intervals here:
1. The validity interval of the location value
2. The validity interval of the location URI
3. The validity interval of the policy URI

Would it address your concern to require (2) and (3) to be equal? This seems sensible and implementable to me. Proposed text:
"
A policy URI is only valid while the corresponding location URI set is valid. A location server MUST NOT respond to any requests to a policy URIs once the corresponding location URI set has expired. This expiry time is specified by the 'expires' attribute in the HELD locationResponse or the 'Valid-For' LuriType in DHCP.
"

> > It's also not clear whether a location server that allows clients to inspect policy but not update actually meets the goals of this document, since it either then requires some other side-loading mechanism or is incomplete.
>
> Being pragmatic about this, we can't really legislate what policies LS provider will apply. We could have a requirement that servers allow changes to policy, but that just risks that portion of the spec being unused. IMO, even being able to inspect policy is an improvement over the current state of the art.
>
>
> No, but we can say that it is recommended for cases where there is no other way to set policy.

Proposed text:
FROM
"
A Location Server SHOULD allow all requests, but it MAY deny certain requests based on local policy. For instance, a Location Server might allow clients to inspect policy (GET), but not to update it (PUT).
"
TO
"
A Location Server MUST allow GET requests to allow clients to inspect policy. A Location Server SHOULD support PUT and DELETE requests to allow clients to control policy, especially if clients cannot set policy through other means.
"

> Overloading removing the policy URI with "delete access to the resource" seems like an un-needed optimization to me. As a client writer, I'd update the policy with a validity interval that is gone, set provide-location to false or something similar. That's just my personal take on this obviously, and if other folks feel that this is the optimization to make, I can live with it.

Ok, I think I understand you better now. I can agree that overloading DELETE makes sense, especially in light of the fact that we have two other ways of invalidating location URIs (policy-based validity intervals and the global expiration of the URI). It still seems like an LS shouldn't respond to requests for the location URI while there's no policy document (after a DELETE).

Proposed text:
FROM
"
A DELETE request to a policy URI is a request to delete the referenced policy document and terminate access to the protected resource. If the request is authorized, then the Location Server MUST delete the policy referenced by the URI and disallow any further access to the location resources it governs.

A location URI can thus become invalid in three ways: By the expiration of a validity interval in policy, by the removal of a policy document with a DELETE request, or by the expiry of the HELD-specified validity interval. The former is temporary, since the policy URI can be used to update the validity interval in the policy; the latter two are permanent.
"
TO
"
A DELETE request to a policy URI is a request to delete the referenced policy document. If the request is authorized, then the Location Server MUST delete the policy referenced by the URI and disallow access to the location URIs it governs until a new policy document has been put in place via a PUT request.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Tuesday, May 3, 2011

Re: [Geopriv] Policy-uri comments

On Tue, May 3, 2011 at 6:08 AM, Richard L. Barnes <rbarnes@bbn.com> wrote:

Hey Ted,

<snip>

I have a hard time taking the proxy/log case as a huge threat, given that there are multiple widely-deployed privacy mechanisms out there that rely on possession. For example, every HTTP service that uses API keys in query parameters is subject to this risk, but there are huge numbers of such services. Indeed, OAuth carries tokens in URI parameters.

Then I suggest that the policy URI "age out" over time. As it stands, the policy URI is created by the location server and effectively never changes during the validity interval set for that location. Whenever it is used to get or set policy through a proxy (like a friendly interception proxy, let's say), it may be revealing itself. If the validity interval is long, this may be a problem (my employer may get or my ex-employer may retain access to the policy URI for my "home" location).

I am assuming that a location may be fairly long lived-e.g. created by my cable company for my "home" location and re-used with its policy URI for long periods. If the validity intervals are short and the LS does not re-use the policy URI when a new location URI for that same location is created, this is less of a problem (this latter problem may require some thought in the inputs to a hash-based mechanism for the creation of a policy URI, especially if an LS re-used the random entropy in a new run. It can neither use the location URI nor the location description, I'd guess).

<snip>

> It's also not clear whether a location server that allows clients to inspect policy but not update actually meets the goals of this document, since it either then requires some other side-loading mechanism or is incomplete.

Being pragmatic about this, we can't really legislate what policies LS provider will apply. We could have a requirement that servers allow changes to policy, but that just risks that portion of the spec being unused. IMO, even being able to inspect policy is an improvement over the current state of the art.

No, but we can say that it is recommended for cases where there is no other way to set policy.

> This statement about DELETE:
>
> If the request is authorized, then the Location Server
> deletes the policy referenced by the URI and disallows any further
> access to the location resource it governs.
>
>
> seems to imply that once a policy URI is DELETEd, it cannot be re-created with a PUT. If this is the intent, then this may need to be more explicit. Otherwise,a client may try to DELETE then PUT, rather than just PUTting over the URI. I don't think this is otherwise forbidden.

That was the intended semantic. This also relates to a comment from Hannes, which we tried to address with the following explanatory note:
"
A location URI can thus become invalid in three ways: By the expiration of a validity interval in policy, by the removal of a policy document with a DELETE request, or by the expiry of the HELD-specified validity interval. The former is temporary, since the policy URI can be used to update the validity interval in the policy; the latter two are permanent.
"

Does that make sense?

Not really, no. I was pointing out that some other systems might allow a DELETE of resource X followed by a PUT to resource X as a valid update method, rather than using a PUT to overwrite. This gives those two operations two different semantics, which I find personally confusing. The document says:

A DELETE request to a policy URI is a request to delete the
referenced policy document and terminate access to the protected

resource. If the request is authorized, then the Location Server
deletes the policy referenced by the URI and disallows any further
access to the location resource it governs.

Overloading removing the policy URI with "delete access to the resource" seems like an un-needed optimization to me. As a client writer, I'd update the policy with a validity interval that is gone, set provide-location to false or something similar. That's just my personal take on this obviously, and if other folks feel that this is the optimization to make, I can live with it.

> Given the extensions in section 4.1, should this draft be listed as updating 5985?

That would make sense to me. I'll try to figure out how to do it in xml2rfc :)

regards,

Ted

--Richard

Re: [Geopriv] Policy-uri comments

Hey Ted,

Thanks a lot for your review. Some comments inline:

> For baseline HTTP requests, the policy URI will show up in both proxy caches and local logs, so there is some reason to doubt that relying on a proof-of-possession model will make sense. I think the authors' "allow to inspect" but not update is a reflection of the unease that simply knowing the URI is enough to allow you to change the polcy. Since the policy document itself can leak privacy sensitive data, I think the same issue applies to GET, though I agree that the threat is less.

I have a hard time taking the proxy/log case as a huge threat, given that there are multiple widely-deployed privacy mechanisms out there that rely on possession. For example, every HTTP service that uses API keys in query parameters is subject to this risk, but there are huge numbers of such services. Indeed, OAuth carries tokens in URI parameters.

> I don't personally find the text here and in 8.2 to address this complete enough, partly because the parallel to RFC 5808 isn't justified and partly because the issue isn't tackled head on. At minimum, I think the doc should review the reasons for this choice in more detail. I personally think that a stronger authentication regime should be considered as a SHOULD, with a MAY for the less stringent mechanisms when other conditions are met.

I thought the base problem was that you wanted to provide some basic level of protection to a hosts that connect to a network without having a shared key with the LS. Clearly, a server MAY require authentication, but it doesn't seem to me like there's enough likelihood of an appropriate authentication system being present to make it a SHOULD. Am I missing some obvious cases?

> It's also not clear whether a location server that allows clients to inspect policy but not update actually meets the goals of this document, since it either then requires some other side-loading mechanism or is incomplete.

Being pragmatic about this, we can't really legislate what policies LS provider will apply. We could have a requirement that servers allow changes to policy, but that just risks that portion of the spec being unused. IMO, even being able to inspect policy is an improvement over the current state of the art.

> This statement about DELETE:
>
> If the request is authorized, then the Location Server
> deletes the policy referenced by the URI and disallows any further
> access to the location resource it governs.
>
>
> seems to imply that once a policy URI is DELETEd, it cannot be re-created with a PUT. If this is the intent, then this may need to be more explicit. Otherwise,a client may try to DELETE then PUT, rather than just PUTting over the URI. I don't think this is otherwise forbidden.

That was the intended semantic. This also relates to a comment from Hannes, which we tried to address with the following explanatory note:
"
A location URI can thus become invalid in three ways: By the expiration of a validity interval in policy, by the removal of a policy document with a DELETE request, or by the expiry of the HELD-specified validity interval. The former is temporary, since the policy URI can be used to update the validity interval in the policy; the latter two are permanent.
"
Does that make sense?

> Given the extensions in section 4.1, should this draft be listed as updating 5985?

That would make sense to me. I'll try to figure out how to do it in xml2rfc :)

--Richard
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Monday, May 2, 2011

Re: [Geopriv] draft-ietf-geopriv-policy-uri-00 WGLC

On 5/2/11 3:48 PM, Ted Hardie wrote:

On Thu, Apr 28, 2011 at 10:07 PM, Thomson, Martin <

I'm inclined to classify this as an optimization. So three reasons not to add the parameter:
1. laziness
2. it's probably not too much extra load to create a resource for most types of resources, especially if you optimize for the case where the resource isn't accessed
3. DHCP won't have any hinting

It strikes me that the PUT/DELETE nature of client management of these resources creates a bit of a problem with this multiple-URI approach. If the user has two different clients from which policy updates may come, updates PUT from one must be synchronized to the other URI by some back-end process, or your risk silly states where the user has updated policy using one URI, but the policy accessed from a different client using a different scheme gets old data because the URIs are distinct and no PUT occurred to that URI.

That's a very good point. We would need to add text around this issue.

Did I miss a section where this was described?

No, because the current version of the document makes certain strong assumptions around "HTTP now, HTTP forever." This whole conversation stems from my feedback that we should make the approach more extensible, even if we don't describe other protocols right now. So you won't find any related text in the document at this time.

/a

Re: [Geopriv] draft-ietf-geopriv-policy-uri-00 WGLC

On Thu, Apr 28, 2011 at 10:07 PM, Thomson, Martin <

I'm inclined to classify this as an optimization. So three reasons not to add the parameter:
1. laziness
2. it's probably not too much extra load to create a resource for most types of resources, especially if you optimize for the case where the resource isn't accessed
3. DHCP won't have any hinting

It strikes me that the PUT/DELETE nature of client management of these resources creates a bit of a problem with this multiple-URI approach. If the user has two different clients from which policy updates may come, updates PUT from one must be synchronized to the other URI by some back-end process, or your risk silly states where the user has updated policy using one URI, but the policy accessed from a different client using a different scheme gets old data because the URIs are distinct and no PUT occurred to that URI.

Did I miss a section where this was described?

regards,

Ted Hardie

If another editor manages to overcome #1, then I'm OK with having the hint.

--Martin

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Policy-uri comments

Howdy,

Sorry for the delay in reviewing this document.  I do have some comments.

First is on authorization methods:

    Knowledge of the policy URI can be considered adequate evidence of    authorization.  A Location Server SHOULD allow all requests, but it    MAY deny certain requests based on local policy.  For instance, a    Location Server might allow clients to inspect policy (GET), but not    to update it (PUT).

For baseline HTTP requests, the policy URI will show up in both proxy caches and local logs, so there is some reason to doubt that relying on a proof-of-possession model will make sense.  I think the authors' "allow to inspect" but not update is a reflection of the unease that simply knowing the URI is enough to allow you to change the polcy.  Since the policy document itself can leak privacy sensitive data, I think the same issue applies to GET, though I agree that the threat is less.

 I don't personally find the text here and in 8.2 to address this complete enough, partly because the parallel to RFC 5808 isn't justified and partly because the issue isn't tackled head on.  At minimum, I think the doc should review the reasons for this choice in more detail.  I personally think that a stronger authentication regime should be considered as a SHOULD, with a MAY for the less stringent mechanisms when other conditions are met.

 It's also not clear whether a location server that allows clients to inspect policy but not update actually meets the goals of this document, since it either then requires some other side-loading mechanism or is incomplete.

 This statement about DELETE:

    If the request is authorized, then the Location Server    deletes the policy referenced by the URI and disallows any further    access to the location resource it governs.

 seems to imply that once a policy URI is DELETEd, it cannot be re-created with a PUT.  If this is the intent, then this may need to be more explicit.  Otherwise,a client may try to DELETE then PUT, rather than just PUTting over the URI.  I don't think this is otherwise forbidden.

 Given the extensions in section 4.1, should this draft be listed as updating 5985?

 I'd suggest changing the header for section 8.3.  The meat of the statement appears to me to be:

    To allow for the creation of Target-specific authorization policies    that are adequately privacy-protected, every location URI and policy    URI that is issued to a different Target MUST be different.  That is,    no two client can receive the same location URI or policy URI.

 The current header is simply: Location URI Allocation.

Would it not be better to use something like:

 "Providing distinct Location and Policy URIs"?

 regards,

Ted Hardie

Tuesday, May 31, 2011

Monday, May 30, 2011

Thursday, May 26, 2011

Tuesday, May 24, 2011

Sunday, May 22, 2011

Friday, May 20, 2011

Sunday, May 15, 2011

Monday, May 9, 2011

Thursday, May 5, 2011

Wednesday, May 4, 2011

Tuesday, May 3, 2011

Monday, May 2, 2011

Followers

Blog Archive

Contributors