Re: [Geopriv] Location Integrity

"Brian Rosen" <br@brianrosen.net> writes:

> I think you have a very hard battle ahead trying to remove the term
> "trust" from security discussions. We are in fact talking about
> trust some times: who does the PSAP trust to generate location
> objects for example.

That's fair enough, but then we aren't talking about "certificates
establishing trust", but rather certificates binding identity or
recording human decisions about trust. I was really just asking for
more clarity of language because have been finding this difficult to
follow. The word trust is a trigger for me because I've seen the
casual use of the word (not recognizing the above distinction on which
we agree) strongly positively correlated with fuzzy thinking in other
contexts.

> Sometimes we do talk about authenticity of data, which is one of the
> properties you might facilitate with a digital signature. For
> example, a signature can guaranty integrity of the data - it was not
> changed from the signer to the recipient. However, the usefulness
> of that authenticity depends on the trust you have in the signer.
> EvilCorp can legitimately sign something so that it authentically
> came from EvilCorp, but the PSAP may not trust EvilCorp to provide
> location.

Agreed.

> On the other hand, I assume you want us to use "authenticity" to
> mean the authentic location, regardless of who provided it or how we
> got it. Henning of course would want to point out that "authentic
> location" is not the requirement, it's "prevent diversion of PSAP
> and responder resources". Authentic location data is one path to
> meeting that requirement, which might require a trusted entity
> digitally signing a location object. Have I got terms straight?

Yes, that's fine and I understand you. I'd use "accurate" to describe
the location being correct, reserving "authentic" (or the combination
of the "data origin authentication" service and the "integrity"
service) to refer to a message which is known to have originated by
some entity and not been modified. If I tell you I'm in Australia in
this email, the message would still be authentic not not accurate. I
realize that what you want is for very few significantly inaccurate
locations to be delivered to PSAPs, for some values of very few and
significant.

> I do indeed believe it is a requirement that the entity that would sign a
> location be the one that would operate the server that did the provided-by
> dereference (or at least that there is a chain of trust between the two).

That makes sense. I still wonder why L-by-R should use a different
mechanism (TLS) rather than using a regular channel to return a signed
object such as might be used with L-by-V. It seems that indirection
for efficiency/convenience is being combined with security properties
in a way which strikes me (as someone who admittedly has not been
playing close attention) as hard to follow.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv