One of the uses for the geopriv object is in an emergency services
requests. I am concerned about what happens under failure. The
kind of problem I worry about is making an emergency call on
a VoIP phone which is not "logged in". Actually, it can get
worse. In the mobile world, you have to be able to make
a call to emergency services even if the phone is not authorized
(ie it has no service agreement). This makes it challenging
to support authentication and to do key negotiation for
encryption.
So, whatever crypto is specified in the object itself has to work
in these scenarios. It may not be necessary to drop all crypto.
We just have to work under challenging conditions.
Additionally, I worry about what happens under the failure of
the crypto. Suppose, for whatever reason, the mechanism
fails to authenticate. One might say that they would prefer
to not be able to reach what is supposed to be an emergency
service provider. Others, myself included, would rather
get the information through even if authentication failed.
I'd rather not get into a discussion of who did what wrong
when I need help. What is more likely to happen when
I need help - something went wrong, and a valid emergency
provider is not authenticating, or some nefarious person
is impersonating my emergency service provider? I'm not
at all denying that the latter circumstance could arise.
Indeed, it might be a good tactic in a terrorist attack if it was
feasible to intercept emergency calls. It's just that I
think that it's much more likely to have the "good" case
occur rather than the bad case happen.
I would like to have a requirement that states this should
be possible. I recognize that I should "send text". I will,
but not tonight.
Brian
Received on Wed Jul 17 08:10:05 2002
This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:23 EST