Brian Rosen wrote:
>> I don't see an issue for this in a jurisdiction where the emergency
>> services authority does have the authorization to obtain location at any
>> time. The way it is managed in those jurisdictions is that there are a
>> very limited number of entities that can make this query and they are
>> provided with a certificate from a jurisdiction-based certificate
>> authority. Note that I assume a jurisdiction typically equals a country
>> in this instance though it can be anything.
> While I believe that, in normal circumstances, this can be made to work
> reliably, I don't want to create a situation in which a failure here causes
> a call to not get location.
There's also a more subtle issue. Since the LIS doesn't know when
there's an emergency, such a certificate essentially gives every PSAP,
i.e., every police department, the immediate and continuous ability to
obtain the movement records of citizens anywhere in the country, without
the (modest) check of having to present a warrant to the carrier and a
fairly extensive approval process which is reasonably heavy-weight.
At least some people might find such a capability a bit scary.
Even if you don't worry about the being snooped on officially, it
significantly lowers the bar for local mischief by rogue or bored PSAP
call takers or first responders. There have been enough stories about
surveillance cameras being used for "entertainment" purposes that I'd
rather not give random employees in two-person PSAPs run on a kitchen
table (which roughly describes the one in my town) the capability to do
that.
In addition, there are likely to be various non-governmental entities
that might handle emergency calls, such as the equivalent of OnStar or
VSP-operated default call centers. They would presumably also need the
ability to query for location information. Now, I'm giving such
capability to minimum-wage call center employees that used to sell
replacement windows the week before.
There's also a more unlikely failure scenario: Unless there's some kind
of certification body and capability-based certs, you end up with
thousands to tens of thousands of entities sharing the same private key.
This is not a comforting thought.
Even with capability-based certs, this mechanism has a particularly
nasty single-compromise failure. If a bad actor manages to obtain one
such certificate (by pretexting, say, to use the word of the week), that
bad actor can get the location information of the whole citizenry of the
whole country, not just the call records of a few board members.
In short, some protocol capabilities are best left out since they are
just too dangerous when they *succeed*. (There are other ways to deal
with L-by-R authorization, but I find the certificate one particularly
objectionable and dangerous. I'm very troubled that proponents of L-by-R
advocate them.)
>
> I agree that the configuration protocol (endpoint to LIS) should be the same
> whether it's LbyR or LbyV. It does not follow that the dereference protocol
> (between the dereferencer and the LIS) should be the same. If the LCP had a
> policy upload function, I would consider that a good thing. I'm not sure
> it's a requirement that it be the same protocol, but I think it's very
> desirable.
For the case of SIMPLE, XCAP is the to-be standardized policy upload
protocol. It seems unlikely that this would be appropriate for the other
functions.
Henning
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Wed, 13 Sep 2006 15:02:50 -0400
This archive was generated by hypermail 2.1.8 : Wed Sep 13 2006 - 15:19:51 EDT