Let us take the current example of the shipping container, and run through
with the terminology.
The co-sighted user (co-located user) (the "user carrying the target") does
not exist in the case of the shipping container.
The owner (in the conventional sense) of the shipping container exists in
the real world, but outside the model. They will have to enter into our
model as a "policy proponent" P1 if they care about location privacy of the
target.
Let us assume, for the sake of discussion, that the owner of the sighting
(aka location fix owner, or loosely speaking, location owner) is the
carrier LO1 (as per legal norms in the particular country where the
sighting occurred). Therefore the policy engine PE must execute on behalf
of LO1, who is the location owner and the carrier.
Let us make it more intersting. Let us assume that the shipping contains
contraband, and there exists another superior "policy proponent" P2 who
has proposed a policy designed to expose the sighting (location) to P2 (or
to another principal designated by P2, we will ignore this detail for now).
The policy engine PE executes under the principal LO1. This gives PE the
right and the responsibility to disclose the sighting to P2. (LO1 is
accountable to P2 if this does not work as expected). However PE (or
LO1) has no right to disclose the sighting to other parties, unless allowed
by P1 (LO1 is accountable to P1 if this does not work as expected).
Does that help ?
Cheers
-- Ajith
--
John W Noerenberg II <jwn2@qualcomm.com> on 12/14/2001 03:46:11 AM
To: Adam Shostack <adam@zeroknowledge.com>
cc: "Rosen, Brian" <Brian.Rosen@marconi.com>, Ajith
Narayanan/Singapore/IBM@IBMSG, "'John Morris '" <jmorris@cdt.org>,
"'geopriv'" <geopriv@mail.apps.ietf.org>
Subject: Re: Terminology
At 2:07 PM -0500 12/13/01, Adam Shostack wrote:
>I think your earlier example of using geopriv in conjunction with
>inanimate carriers of targets is an example of where the split between
>carry and assert matters. The entity (say a shipping container)
>doesn't care about its location privacy, but its owner may.
It certainly matters in a legal sense. But you can't incorporate
this into the information flows affecting access decisions driven by
a privacy policy function. Once the parameters of the function have
been determined, they can be evaluated by any proxy empowered to do
so.
We should be clear that the parameters are generated by the owner of
the location data. But having established that, the owner is not
directly part of the model. A legal formalism simply doesn't have a
place in a network model.
best,
--
john noerenberg
jwn2@qualcomm.com
----------------------------------------------------------------------
While the belief we have found the Answer can separate us
and make us forget our humanity, it is the seeking that continues
to bring us together, the makes and keeps us human.
-- Daniel J. Boorstin, "The Seekers", 1998
----------------------------------------------------------------------
Received on Thu Dec 13 22:56:27 2001
This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:22 EST