At 9:00 PM -0500 3/7/07, Henning Schulzrinne wrote:
>As a side note, the 'accredited' thing is a red herring, either way. Signed location information is only meaningful if the location signer is 'accredited', i.e., known to be reputable, to the PSAP. After all, anybody, with a stolen credit card if necessary, can buy a certificate, based solely on possession of a domain name, from reputable CAs. That certificate can be used to sign any location information. Thus, signing is only meaningful if the signer is known and accountable.
As Steve Bellovin has put it: "A general-purpose CA will protect you from anyone
that they won't take money from".
>Now, it may well be that the number of signers is lower or more easily knowable in one or the other case, but the principle is the same. We have gone through the 'who can sign' before, so I won't repeat that particular discussion.
>
What we still don't seem to have is common understanding of how the threat model has
changed. For the purposes of DDOS, folks understand very well how the change in
access models has changed the threat model: in the previous system the
access network topology circumscribed who could send calls to a PSAP, in a way
that related fairly well to local geography; that is no longer true for the new access
network model, and the result is we now need to manage a different threat
(as the pool of attackers is higher and the ddos risk higher).
But the same change has a consequence for trust relationships between
network providers and PSAP: where the number of network providers was
bounded, basically anyone can now put up an access network that has sufficient
to allow access to a VSP. Extending trust to the access networks in that model
is difficult, time-consuming, and either market-limiting or so weak as to be
nearly useless. We need to manage that change. Doing so by adding
cryptographic mechanisms *does no good if they do not reflect the trust
relationships*.
Define the trust relationships first, and it will get a lot easier to make the right
choice of mechanism. Choosing a mechanism and then forcing the external
parties to tailor their relationships to the mechanism is procrustean programming
of the worst sort, and it tends to leave the attackers lots of room to wiggle in.
Ted
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Wed, 7 Mar 2007 21:41:16 -0800
This archive was generated by hypermail 2.1.8 : Thu Mar 08 2007 - 00:39:59 EST