[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ecrit] Comments on "Extensions for dealing with Unauthenticated and Unauthorized Devices"

To: <ecrit at ietf.org>
Subject: [Ecrit] Comments on "Extensions for dealing with Unauthenticated and Unauthorized Devices"
From: Bernard Aboba <bernard_aboba at hotmail.com>
Date: Thu, 26 Feb 2009 13:00:14 -0800
Delivered-to: ecrit at core3.amsl.com
Importance: Normal
List-archive: <https://www.ietf.org/mailman/private/ecrit>
List-help: <mailto:ecrit-request@ietf.org?subject=help>
List-id: <ecrit.ietf.org>
List-post: <mailto:ecrit@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>

http://tools.ietf.org/html/draft-schulzrinne-ecrit-unauthenticated-access

Section 2 summarizes the status of this document:

   At the time of writing there is no regulation in place that demands
   the functionality described in this memo. SDOs have started their
   work on this subject in a proactive fashion in the anticipation that
   national regulation will demand it for a subset of network
   environments.

Not only is there no regulation that demands this functionality, but there
is potential legislation relating to authentication and record keeping that
could affect the viability of such a service:
http://news.cnet.com/8301-13578_3-10168114-38.html

In practice, some of these record keeping requirements are already in
effect, due to the implications of legislation such as Sarbanes Oxley
and HIPAA.

Given this, I'd suggest that the document needs to think more carefully
about the requirements for offering such a service. This includes not
only the potential (conflicting) regulatory requirements, but also some
of the security issues. For example, in its response to the IEEE 802.11u
liaison, EMU WG provided a number of questions that needed to be answered:
http://www.ietf.org/mail-archive/web/emu/current/msg00685.html

   In particular, the ISP MUST allow emergency callers to acquire an IP
   address and to reach a LoST server, either provided by the ISP or
   some third party.  It SHOULD also provide location information via
   one of the mechanisms specified in [I-D.ietf-ecrit-phonebcp] without
   requiring authorization unless it can safely assume that all nodes in
   the access network can determine their own location, e.g., via GPS.

Given the current state of knowledge, and the capabilities of the ISP and
enterprise equipment in place, we also need to think carefully about
normative requirements. For example, some of the older WLAN networks
may have limited abilities to actively advertise multiple networks
(e.g. they may not be able to beacon an Emergency Services network
with access restricted as recommended in the document).

Also, if this work is going to go forward, it should probably be
coordinated with other IETF WGs such as EMU, as well as
SDO efforts such as IEEE 802.11u and more
recently, IEEE 802.21. For example, the IEEE 802.21 Emergency
Services charter can be found below:
https://mentor.ieee.org/802.21/file/08/21-08-0313-03-00es-emergency-services-five-criteria.doc

Prev by Date: Re: [Ecrit] draft-ietf-ecrit-local-emergency-rph-namespace-01 submitted
Next by Date: Re: [Ecrit] draft-ietf-ecrit-local-emergency-rph-namespace-01 submitted
Previous by thread: [Ecrit] ECRIT interim meeting
Next by thread: [Ecrit] draft-wolf-ecrit-lost-servicelistboundary
Index(es):
- Date
- Thread