RE: [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-LOdigitalsignatures)

The one thing you miss in this discussion is that it's a LOCAL access
provider providing location to a LOCAL PSAP. That is what makes this
situation different from the general case. Yes, anyone can put up an access
network, but it's always LOCAL to the PSAP.

Also, we have provided a test capability. This will tell an end user that
the location is somehow not pluperfect in advance of needing it.

Again, I ask that instead of saying "no, no, no" you instead somehow say "no
not that, use this". You acknowledge we have a problem. We need solutions.
We'll acknowledge that it's not going to be great, because the world has
changed and the threats have changed, but it should be possible to put
sufficient controls in place to make the threat manageable.

Brian

> -----Original Message-----
> From: Ted Hardie [mailto:hardie@qualcomm.com]
> Sent: Thursday, March 08, 2007 12:41 AM
> To: Henning Schulzrinne; Dawson, Martin
> Cc: GEOPRIV
> Subject: Re:[Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-
> LOdigitalsignatures)
>
> At 9:00 PM -0500 3/7/07, Henning Schulzrinne wrote:
> >As a side note, the 'accredited' thing is a red herring, either way.
> Signed location information is only meaningful if the location signer is
> 'accredited', i.e., known to be reputable, to the PSAP. After all,
> anybody, with a stolen credit card if necessary, can buy a certificate,
> based solely on possession of a domain name, from reputable CAs. That
> certificate can be used to sign any location information. Thus, signing is
> only meaningful if the signer is known and accountable.
>
> As Steve Bellovin has put it: "A general-purpose CA will protect you from
> anyone
> that they won't take money from".
>
>
> >Now, it may well be that the number of signers is lower or more easily
> knowable in one or the other case, but the principle is the same. We have
> gone through the 'who can sign' before, so I won't repeat that particular
> discussion.
> >
>
> What we still don't seem to have is common understanding of how the threat
> model has
> changed. For the purposes of DDOS, folks understand very well how the
> change in
> access models has changed the threat model: in the previous system the
> access network topology circumscribed who could send calls to a PSAP, in
> a way
> that related fairly well to local geography; that is no longer true for
> the new access
> network model, and the result is we now need to manage a different threat
> (as the pool of attackers is higher and the ddos risk higher).
>
> But the same change has a consequence for trust relationships between
> network providers and PSAP: where the number of network providers was
> bounded, basically anyone can now put up an access network that has
> sufficient
> to allow access to a VSP. Extending trust to the access networks in that
> model
> is difficult, time-consuming, and either market-limiting or so weak as to
> be
> nearly useless. We need to manage that change. Doing so by adding
> cryptographic mechanisms *does no good if they do not reflect the trust
> relationships*.
>
> Define the trust relationships first, and it will get a lot easier to make
> the right
> choice of mechanism. Choosing a mechanism and then forcing the external
> parties to tailor their relationships to the mechanism is procrustean
> programming
> of the worst sort, and it tends to leave the attackers lots of room to
> wiggle in.
>
> Ted
>
>
>
>
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www1.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Thu, 8 Mar 2007 09:39:30 -0500