[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scope of applicability for CUI

To: Jari Arkko <jari.arkko@piuha.net>
Subject: Re: Scope of applicability for CUI
From: Barney Wolff <barney@databus.com>
Date: Thu, 23 Dec 2004 16:41:42 -0500
Cc: Avi Lior <avi@bridgewatersystems.com>, radiusext@ops.ietf.org
In-reply-to: <41CB3323.1070508@piuha.net>
References: <F17FB067A86B2D488382C923C532EAA7024A4EA3@exch01.bridgewatersys.com> <41CB3323.1070508@piuha.net>
User-agent: Mutt/1.5.6i

On Thu, Dec 23, 2004 at 11:05:39PM +0200, Jari Arkko wrote:
> 
> >Regarding legal interception:
> >
> >Yes they may want certain CUI forms but Opaque may also sufficie.  For
> >example, with Opaque values they may insist that the issuer of the opaque
> >CUI not reuse any of the values for six months. That is, they may issue a
> >new opaque value for the a identity every month. But will freeze the value
> >for 6 months.
> >
> >Then the law enforcement agency (LEA) can then issue a court order and
> >require that the issuer of the opaque value resolve it back to the user
> >identity.
> 
> If legal interception is a requirement, I'm not sure the
> above is sufficient. There are multiple organizations and
> countries involved. If I am visiting in country X and they
> want to intercept all my usage in that country, it does
> not help if CUI indicates "1245@anisp.countryY" -- particularly
> if X and Y don't want to reveal to each other who they are
> tracking. From the point of view of the access network and
> country X, its much easier to just require cleartext CUIs...
> 
> (I'm just guessing that this might be one of the reasons
> why people want to have non-opaque CUIs. It would be good
> if someone could confirm this.)

This dives into very deep philosophical waters, both as to ethics and
even more profoundly as to the nature of identity.

CUI is CHARGEable user identity.  I've always taken that in the financial
sence, not in the sense of issuance of an indictment.  Even if one were
to accept the latter sense, what could the home server supply that would
uniquely identify a single individual out of the 6+E9 in the world?
Common name is not nearly unique enough, and in the case of many "persons
of interest" these days the variability in transliteration makes it
common for a single individual to legitimately appear variously in ASCII.

IANAL but I can imagine EU privacy regulations forbidding disclosure of
the user's "true" identity to a non-EU network owner, absent evidence of
abuse.  List decorum prevents me from expressing my opinion of my own
country's privacy climate.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Scope of applicability for CUI
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: Scope of applicability for CUI
  - From: Jari Arkko <jari.arkko@piuha.net>

Prev by Date: Re: Scope of applicability for CUI
Next by Date: RE: Scope of applicability for CUI
Previous by thread: Re: Scope of applicability for CUI
Next by thread: RE: Scope of applicability for CUI
Index(es):
- Date
- Thread