Eric Rescorla wrote: > At Fri, 11 Sep 2009 07:57:02 -0700 (PDT), > Ole Jacobsen wrote: >> >> Inline. >> >> On Fri, 11 Sep 2009, Eric Rescorla wrote: >> >>> At Thu, 10 Sep 2009 12:23:31 -0700 (PDT), >>>> * Each attendee will be issued an RFID card at the registration desk. >>>> The information stored on the card is ONLY a number, no personal >>>> data is stored on the card. (Note: the attendee can opt out at any >>>> time, including not collecting the card, see below). >>> Note that removing your name from the database doesn't remove the >>> ability of someone to track you via the tag. >> If this is a great concern I would suggest either returning the card >> or not collecting it in the first place. Also, the type or readers >> used require close proximity to trigger, you literally have to touch >> the reader with your card to make it work. So nobody from the host >> organization at least will be tracking you. I am also not sure what >> value there is in knowing that 3478273983421 spent 10 minutes in trill >> and then moved on to behave (pun intended). > > Well, I think it's important to distinguish two different threat > scenarios: > > 1. Tracking via the sensors that IETF has emplaced. > 2. Tracking via sensors that others emplace [it's important to > note that just because the readers you have are low power > and can only work at close range, that doesn't mean it's not > possible to have readers that work at longer ranges.] spoofing via replay is an equally viable and entertaining possibility for something you might in the future, potentially use for an attendance tracking system. > In the first scenario, it's probably true that you can only > gather limited amounts of information, but in the second scenario, > the amount of information that can be gathered is limited primarily > by the number of sensors you're willing to emplace. I can > imagine a number of scenarios where it would be attractive > to know where a given individual is at all times (for starters, > people often have private side meetings with customers at IETF > and if you had positional information you might be able to learn > about this). I certainly would not want to be tracked everywhere > I went. > > This brings us to the question of the identifiers: it's certainly > true that systems which are anonymous but linkable offer a higher > level of privacy than those which do not. However, it's often > possible to determine which identifier a given person has > (e.g., by observing a specific persons card being read), then > you can of course track them by name. In addition, if the > identifier->person mapping isn't generated securely and kept > confidential, then you may be able to quickly determine a > large fraction of the mapping. > > >>>> * The "information" (number) on the card is not encrypted and could be >>>> read by any RFID reader, but again, it's only a number. >>> How are the numbers assigned? >> Don't know, but I have asked. I am guessing they are pre-assigned in >> the sense that each card has a unique ID that is later mapped to the >> database. > > OK, but the details matter here. For instance, if you have a stack > of cards with sequential serial numbers and you assign them in > sequence to the people in the attendee list (e.g., at the time > right before the meeting), you wouldn't need to know too many > mappings to determine most of the database. > > > I'm not trying to make an argument for or against this experiment: > I don't even expect to be in Hiroshima, so it doesn't really > matter to me one way or the other. However, given that the IETF has > extensive experience in this kind of secure systems design and > in fact has an entire WG (GEOPRIV) devoted to thinking about the > dissemination and privacy of positional information, it seems like > it would be nice to get a little more clarity about the security > of the proposed system. > > -Ekr > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf