please see my comment inline:
> > authorization is a pretty broad term (and the same is true for
> > "prioritization"). we came across a few authorization issues in our
> > discussion at the ecrit working group meeting. maybe you
> can explain which
> > requirement you would like to see being outside the scope of
> > ecrit (or in scope for ieprep).
> I would not agree that authorization is a broad term within
> the confines
> of the ietf, or for that matter the ecrit wg. authorization
> has specific
> meanings within the IETF (rfc-2906, AAA Authorization requirements is
> probably a good reference point). But the point is taken that *how*
> authorization is applied within ecrit should be more specific.
> I don't recall authorization issues being brought up at the
> last meeting.
> There were discussions about authentication and integrity
> with respect to
> location information, both those are different beasts.
i should have been more specific.
you might remember the presentation by james about validation of location
information. he pointed out that access network provides location
information to the end host in such a way that the emergency response center
is able to verify that a "trusted" access network created the object and
(maybe that this network is indeed reponsible for the area).
we had some further discussions about this issue in the geopriv working
group. i also consider this as part of the authorization decision.
there are still a number of issues that need to be investigated and
discussed (and i am not sure that i understood all aspects; the same is
probably true for other folks as well).
> just to loosely recap from my previous message, I think it would be
> beneficial in one of the requirements documents to state something to
> the effect that "solutions must not require authorization by (end)
> users to access 911/999/112-type services".
there will not be a 'must be authenticated' and 'must be authorized'
requirement for 911/etc. calls (what we have heard so far in the
we have also heard that the treatment of emergency calls will be different
depending on the provided atttributes. some calls are better than others. if
you receive a call that does not contain location information nor the
identity of the calling party then you need to give it special treatment.
some of these attributes, such as the assertion mentioned above, can be used
to compute an authorization decision.
we should also discuss what the meaning of the authorization decision in the
context you mention (rfc 2906) is. do you think about 'user x is subscribed
i.e. was successfully authenticated' or 'user x has sufficient funds' or
'user x is within a specific geographical area' etc.
i think that most people do not make an assumption about authorization in
this particular area. i would like to know what type of authorization the
ieprep folks consider.
The keyword of "must"
> versus "should" is something I'd leave to the prospective author(s).
Ecrit mailing list