RE: [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-LOdigitalsignatures)

From: Brian Rosen ^lt;>
Date: Thu Mar 08 2007 - 09:42:59 EST

I think the key word below is "public" in the phrase "public access
infrastructure". The reality of the Internet is that not all access is
public. That limits what we can do.

It's still local. That helps a lot.


> -----Original Message-----
> From: Dawson, Martin []
> Sent: Thursday, March 08, 2007 1:04 AM
> Subject: RE: [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-
> LOdigitalsignatures)
> I'd like to challenge the following premise:
> "... where the number of network providers was
> bounded, basically anyone can now put up an access network that has
> sufficient to allow access to a VSP."
> In fact, the number of physical public access infrastructure providers
> is comparable for Internet access as it is for PSTN, including cellular.
> Until somebody invents and deploys subspace internet access technology,
> the same constraint of geographic co-location applies just as it did for
> the PSTN.
> (if this degenerates into the Pringle can debate again, then I'd refer
> people to the NENA archives)
> Including ISPs certainly blows the number out but there is no strict
> requirement for them to be included in the trust model - any more than
> there is for the PSAP to know that a cellular call that appears to come
> from the Verizon network is really one coming from a subscriber of any
> one of a squillion MVNOs - MVNOs who don't actually own their own access
> infrastructure.
> As long as the location is signed by a trusted public access
> infrastructure provider then dependability is established. The
> infrastructure operator has the audit records that show who the actual
> ISP for a given location was. The recent liaison document on location
> acquisition protocols that came from ESIF described this relationship
> model between ISPs and infrastructure providers. It's a recommended
> read.
> If we wanted to extend the PIDF-LO to include a chain of provider
> identities so the location recipient had direct access to a signed
> record of provider identities then that's certainly a good option to
> discuss.
> Cheers,
> Martin
> -----Original Message-----
> From: Ted Hardie []
> Sent: Thursday, 8 March 2007 4:41 PM
> To: Henning Schulzrinne; Dawson, Martin
> Subject: Re:
> [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-LOdigitalsignatures)
> At 9:00 PM -0500 3/7/07, Henning Schulzrinne wrote:
> >As a side note, the 'accredited' thing is a red herring, either way.
> Signed location information is only meaningful if the location signer is
> 'accredited', i.e., known to be reputable, to the PSAP. After all,
> anybody, with a stolen credit card if necessary, can buy a certificate,
> based solely on possession of a domain name, from reputable CAs. That
> certificate can be used to sign any location information. Thus, signing
> is only meaningful if the signer is known and accountable.
> As Steve Bellovin has put it: "A general-purpose CA will protect you
> from anyone
> that they won't take money from".
> >Now, it may well be that the number of signers is lower or more easily
> knowable in one or the other case, but the principle is the same. We
> have gone through the 'who can sign' before, so I won't repeat that
> particular discussion.
> >
> What we still don't seem to have is common understanding of how the
> threat model has
> changed. For the purposes of DDOS, folks understand very well how the
> change in
> access models has changed the threat model: in the previous system the
> access network topology circumscribed who could send calls to a PSAP,
> in a way
> that related fairly well to local geography; that is no longer true for
> the new access
> network model, and the result is we now need to manage a different
> threat
> (as the pool of attackers is higher and the ddos risk higher).
> But the same change has a consequence for trust relationships between
> network providers and PSAP: where the number of network providers was
> bounded, basically anyone can now put up an access network that has
> sufficient
> to allow access to a VSP. Extending trust to the access networks in
> that model
> is difficult, time-consuming, and either market-limiting or so weak as
> to be
> nearly useless. We need to manage that change. Doing so by adding
> cryptographic mechanisms *does no good if they do not reflect the trust
> relationships*.
> Define the trust relationships first, and it will get a lot easier to
> make the right
> choice of mechanism. Choosing a mechanism and then forcing the external
> parties to tailor their relationships to the mechanism is procrustean
> programming
> of the worst sort, and it tends to leave the attackers lots of room to
> wiggle in.
> Ted
> --------------------------------------------------------------------------
> ----------------------
> This message is for the designated recipient only and may
> contain privileged, proprietary, or otherwise private information.
> If you have received it in error, please notify the sender
> immediately and delete the original. Any unauthorized use of
> this email is prohibited.
> --------------------------------------------------------------------------
> ----------------------
> [mf2]
> _______________________________________________
> Geopriv mailing list

Geopriv mailing list
Received on Thu, 8 Mar 2007 09:42:59 -0500

This archive was generated by hypermail 2.1.8 : Thu Mar 08 2007 - 09:41:10 EST