Re: Last Call: <draft-allen-dispatch-imei-urn-as-instanceid-10.txt> (Using the International Mobile station Equipment Identity(IMEI)URN as an Instance ID) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 07:35 19-07-2013, The IESG wrote:

The IESG has received a request from an individual submitter to consider
the following document:
- 'Using the International Mobile station Equipment Identity(IMEI)URN as
   an Instance ID'
  <draft-allen-dispatch-imei-urn-as-instanceid-10.txt> as Informational
RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2013-08-16. Exceptionally, comments may be


Section 4 describes the 3GPP use case as:

  "The mobile device includes its IMEI in the SIP REGISTER request
   so that the registrar can perform a check of the Equipment Identity
   Register (EIR) to verify if this mobile device is allowed or barred
   from accessing the network for non-emergency services"
The draft then argues that non-REGISTER requests except in case of an emergency. 

In Section 5:

  'A UAC MUST NOT include the "sip.instance" media feature tag
   containing the GSMA IMEI URN in the Contact header field of non-
   REGISTER requests except when the request is related to an emergency
   session.  Regulatory requirements can require the IMEI to be provided
   to the Public Safety Answering Point (PSAP).  Any future exceptions
   to this prohibition require a RFC that addresses how privacy is not
   violated by such a usage.'
My reading of the above is there is a privacy violation but that violation is considered acceptable in the use case mentioned above. Any other use case requires a RFC to be published. There is an additional requirement; the RFC has to address how privacy is not violated. It is an unusual requirement in a RFC. 

From Section 9:

  'In particular, the "sip.instance" media feature tag containing the
   GSMA IMEI URN MUST NOT be included in requests or responses intended
   to convey any level of anonymity.'
The above can be interpreted in various ways. The problem might be that the draft builds upon RFC 5626 which states that "some other privacy concern requires that the UA not reveal its identity". It may be better to state that there is a violation of privacy.
The draft does not discuss about the weakness of the mechanism or how what it proposes can be used for wiretapping. 

Regards,
S. Moonesamy
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]