Early Review of draft-ietf-geopriv-held-identity-extensions-
This is an early security directorate review at the request of the working group.
This draft is of extensions to existing drafts. Those existing
drafts permit a Device to request its location using HTTP based on the
source IP address in the requesting packets and include security
precautions based on the transport used. The first extension expands
"identity" to beyond a simple IP address by providing additional or
alternative identity. The second extension permits an authorized third
party to request the location of a Device for which it provides the
The data representation used within location requests is XML and,
while the schema given looks reasonable, I didn't review it in detail.
Privacy and Security Considerations
This draft appears to have good grasp on the security problems in
authenticating a suitable identity for the requestor of location
information and the Device whose location is sought. The problems and
the general unsuitability of transient or ambiguous identities are
discussed as is the care that needs to be taken with identities that
might have different meaning depending on network context, such as an
address beyond a NAT box.
Appropriate authentication of identity elements is mandated.
The draft reasonably specifies that a policy establishment mechanism
must exist which dictates when a third party would be authorized to
request the location of a Device and that the default policy must be
to deny all such requests.
Overall, at the high level provided, the Privacy and and Security
Considerations look good.
Notwithstanding the fact that it is expanded in the title of the
document, it couldn't hurt to also give the expansion of HELD in the
Terminology section of the draft. Sometimes people fail to see things
in what you would think was the most obvious place :-)
I found this draft a bit heavy on the acronyms that, in some cases,
make it a little harder to understand while saving only a little
space, but this is just a matter of taste.
Donald E. Eastlake 3rd +1-508-634-2066 (home)
155 Beaver Street
Milford, MA 01757 USA
d3e3e3 at gmail.com