Internet Engineering Task Force (IETF) R. Barnes
Request for Comments: 6280 M. Lepinski
BCP: 160 BBN Technologies
Updates: 3693, 3694 A. Cooper
Category: Best Current Practice J. Morris
ISSN: 2070-1721 Center for Democracy & Technology
H. Tschofenig
Nokia Siemens Networks
H. Schulzrinne
Columbia University
July 2011
Internet Engineering Task Force (IETF) R. Barnes
Request for Comments: 6280 M. Lepinski
BCP: 160 BBN Technologies
Updates: 3693, 3694 A. Cooper
Category: Best Current Practice J. Morris
ISSN: 2070-1721 Center for Democracy & Technology
H. Tschofenig
Nokia Siemens Networks
H. Schulzrinne
Columbia University
July 2011
An Architecture for Location and Location Privacy in Internet Applications
Internet应用中的位置和位置隐私体系结构
Abstract
摘要
Location-based services (such as navigation applications, emergency services, and management of equipment in the field) need geographic location information about Internet hosts, their users, and other related entities. These applications need to securely gather and transfer location information for location services, and at the same time protect the privacy of the individuals involved. This document describes an architecture for privacy-preserving location-based services in the Internet, focusing on authorization, security, and privacy requirements for the data formats and protocols used by these services.
基于位置的服务(如导航应用程序、应急服务和现场设备管理)需要有关互联网主机、其用户和其他相关实体的地理位置信息。这些应用程序需要为定位服务安全地收集和传输位置信息,同时保护相关个人的隐私。本文档描述了Internet中保护隐私的基于位置的服务的体系结构,重点介绍了这些服务所使用的数据格式和协议的授权、安全和隐私要求。
Status of This Memo
关于下段备忘
This memo documents an Internet Best Current Practice.
本备忘录记录了互联网最佳实践。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6280.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6280.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Binding Rules to Data ......................................4
1.2. Location-Specific Privacy Risks ............................5
1.3. Privacy Paradigms ..........................................6
2. Terminology Conventions .........................................7
3. Overview of the Architecture ....................................7
3.1. Basic Geopriv Scenario .....................................8
3.2. Roles and Data Formats ....................................10
4. The Location Life Cycle ........................................12
4.1. Positioning ...............................................13
4.1.1. Determination Mechanisms and Protocols .............14
4.1.2. Privacy Considerations for Positioning .............16
4.1.3. Security Considerations for Positioning ............16
4.2. Location Distribution .....................................17
4.2.1. Privacy Rules ......................................17
4.2.2. Location Configuration .............................19
4.2.3. Location References ................................20
4.2.4. Privacy Considerations for Distribution ............21
4.2.5. Security Considerations for Distribution ...........23
4.3. Location Use ..............................................24
4.3.1. Privacy Considerations for Use .....................25
4.3.2. Security Considerations for Use ....................25
5. Security Considerations ........................................25
6. Example Scenarios ..............................................28
6.1. Minimal Scenario ..........................................28
6.2. Location-Based Web Services ...............................29
6.3. Emergency Calling .........................................31
6.4. Combination of Services ...................................32
7. Glossary .......................................................35
8. Acknowledgements ...............................................38
9. References .....................................................38
9.1. Normative References ......................................38
9.2. Informative References ....................................38
1. Introduction ....................................................3
1.1. Binding Rules to Data ......................................4
1.2. Location-Specific Privacy Risks ............................5
1.3. Privacy Paradigms ..........................................6
2. Terminology Conventions .........................................7
3. Overview of the Architecture ....................................7
3.1. Basic Geopriv Scenario .....................................8
3.2. Roles and Data Formats ....................................10
4. The Location Life Cycle ........................................12
4.1. Positioning ...............................................13
4.1.1. Determination Mechanisms and Protocols .............14
4.1.2. Privacy Considerations for Positioning .............16
4.1.3. Security Considerations for Positioning ............16
4.2. Location Distribution .....................................17
4.2.1. Privacy Rules ......................................17
4.2.2. Location Configuration .............................19
4.2.3. Location References ................................20
4.2.4. Privacy Considerations for Distribution ............21
4.2.5. Security Considerations for Distribution ...........23
4.3. Location Use ..............................................24
4.3.1. Privacy Considerations for Use .....................25
4.3.2. Security Considerations for Use ....................25
5. Security Considerations ........................................25
6. Example Scenarios ..............................................28
6.1. Minimal Scenario ..........................................28
6.2. Location-Based Web Services ...............................29
6.3. Emergency Calling .........................................31
6.4. Combination of Services ...................................32
7. Glossary .......................................................35
8. Acknowledgements ...............................................38
9. References .....................................................38
9.1. Normative References ......................................38
9.2. Informative References ....................................38
Location-based services (applications that require information about the geographic location of an individual or device) are becoming increasingly common on the Internet. Navigation and direction services, emergency services, friend finders, management of equipment in the field, and many other applications require geographic location information about Internet hosts, their users, and other related entities. As the accuracy of location information improves and the expense of calculating and obtaining it declines, the distribution and use of location information in Internet-based services will likely become increasingly pervasive. Ensuring that location
基于位置的服务(需要个人或设备地理位置信息的应用)在互联网上越来越普遍。导航和方向服务、紧急服务、好友查找、现场设备管理以及许多其他应用程序需要有关互联网主机、其用户和其他相关实体的地理位置信息。随着位置信息准确性的提高以及计算和获取位置信息的费用的下降,基于互联网的服务中位置信息的分发和使用可能会变得越来越普遍。确保该位置
information is transmitted and accessed in a secure and privacy-protective way is essential to the future success of these services, as well as the minimization of the privacy harms that could flow from their wide deployment and use.
以安全和隐私保护的方式传输和访问信息对于这些服务的未来成功以及将其广泛部署和使用可能带来的隐私危害降至最低至关重要。
Standards for communicating location information over the Internet have an important role to play in providing a technical basis for privacy and security protection. This document describes a standardized privacy- and security-focused architecture for location-based services in the Internet: the Geopriv architecture. The central component of the Geopriv architecture is the location object, which is used to convey both location information about an individual or device and user-specified privacy rules governing that location information. As location information moves through its life cycle -- positioning, distribution, and use by its ultimate recipient(s) -- Geopriv provides mechanisms to secure the integrity and confidentiality of location objects and to ensure that location information is only transmitted in compliance with the user's privacy rules.
通过互联网传播位置信息的标准在为隐私和安全保护提供技术基础方面发挥着重要作用。本文档描述了互联网中基于位置的服务的标准化隐私和安全体系结构:Geopriv体系结构。Geopriv体系结构的核心组件是location对象,它用于传递有关个人或设备的位置信息以及管理该位置信息的用户指定隐私规则。随着位置信息在其生命周期中的移动(定位、分发和最终接收者的使用),Geopriv提供了保护位置对象完整性和机密性的机制,并确保位置信息的传输仅符合用户的隐私规则。
The goals of this document are two-fold: First, the architecture described revises and expands on the basic Geopriv Requirements [2] [3], in order to clarify how these privacy concerns and the Geopriv architecture apply to use cases that have arisen since the publication of those documents. Second, this document provides a general introduction to Geopriv and Internet location-based services, and is useful as a good first document for readers new to Geopriv.
本文件的目标有两个方面:首先,所描述的体系结构修改并扩展了Geopriv的基本要求[2][3],以澄清这些隐私问题和Geopriv体系结构如何应用于自这些文件发布以来出现的用例。其次,本文档对Geopriv和基于互联网位置的服务进行了总体介绍,对于刚接触Geopriv的读者来说,本文档是很有用的第一篇文档。
A central feature of the Geopriv architecture is that location information is always bound to privacy rules to ensure that entities that receive location information are informed of how they may use it. These rules can convey simple directives ("do not share my location with others"), or more robust preferences ("allow my spouse to know my exact location all of the time, but only allow my boss to know it during work hours"). By creating a structure to convey the user's preferences along with location information, the likelihood that those preferences will be honored necessarily increases. In particular, no recipient of the location information can disavow knowledge of users' preferences for how their location may be used. The binding of privacy rules to location information can convey users' desire for and expectations of privacy, which in turn helps to bolster social and legal systems' protection of those expectations.
Geopriv体系结构的一个中心特征是位置信息始终与隐私规则相绑定,以确保接收位置信息的实体了解如何使用位置信息。这些规则可以传达简单的指令(“不要与他人分享我的位置”),或更强烈的偏好(“允许我的配偶随时知道我的确切位置,但只允许我的老板在工作时间知道我的位置”)。通过创建一个结构来传达用户的偏好和位置信息,这些偏好得到满足的可能性必然增加。特别地,位置信息的接收者不能否认用户对于如何使用其位置的偏好的知识。将隐私规则与位置信息绑定可以传达用户对隐私的渴望和期望,这反过来有助于加强社会和法律系统对这些期望的保护。
Binding of usage rules to sensitive information is a common way of protecting information. Several emerging schemes for expressing copyright information provide for rules to be transmitted together with copyrighted works. The Creative Commons [28] model is the most prominent example, allowing an owner of a work to set four types of rules ("Attribution", "Noncommercial", "No Derivative Works", and "ShareAlike") governing the subsequent use of the work. After the author sets these rules, the rules are conveyed together with the work itself, so that every recipient is aware of the copyright terms.
将使用规则绑定到敏感信息是保护信息的常用方法。一些新兴的版权信息表达方案规定了与版权作品一起传输的规则。知识共享[28]模式是最突出的例子,允许作品所有者设定四种类型的规则(“归属”、“非商业性”、“无衍生作品”和“类似共享”)来管理作品的后续使用。在作者制定这些规则后,这些规则将与作品本身一起传达,以便每个接收者都知道版权条款。
Classification systems for controlling sensitive documents within an organization are another example. In these systems, when a document is created, it is marked with a classification such as "SECRET" or "PROPRIETARY". Each recipient of the document knows from this marking that the document should only be shared with other people who are authorized to access documents with that marking. Classification markings can also convey other sorts of rules, such as a specification for how long the marking is valid (a declassification date). The United States Department of Defense guidelines for classification [4] provide one example.
另一个例子是用于控制组织内敏感文档的分类系统。在这些系统中,创建文档时,文档会标记为“机密”或“专有”等分类。文件的每个接收人都知道,文件只能与有权访问带有该标记的文件的其他人共享。分类标记还可以传达其他种类的规则,例如标记有效期的说明(解密日期)。美国国防部分类指南[4]提供了一个例子。
While location-based services raise some privacy concerns that are common to all forms of personal information, many of them are heightened, and others are uniquely applicable in the context of location information.
虽然基于位置的服务引起了一些隐私问题,这些问题对于所有形式的个人信息都是常见的,但其中许多问题得到了加强,而其他一些问题则特别适用于位置信息。
Location information is frequently generated on or by mobile devices. Because individuals often carry their mobile devices with them, location data may be collected everywhere and at any time, often without user interaction, and it may potentially describe both what a person is doing and where he or she is doing it. For example, location data can reveal the fact that an individual was at a particular medical clinic at a particular time. The ubiquity of location information may also increase the risks of stalking and domestic violence if perpetrators are able to use (or abuse) location-based services to gain access to location information about their victims.
位置信息通常在移动设备上或由移动设备生成。由于个人经常随身携带移动设备,因此位置数据可以随时随地收集,通常不需要用户交互,并且可能描述一个人正在做什么以及他或她在哪里做。例如,位置数据可以揭示个人在特定时间在特定医疗诊所的事实。如果犯罪者能够使用(或滥用)基于位置的服务获取受害者的位置信息,那么位置信息的无处不在也可能增加跟踪和家庭暴力的风险。
Location information is also of particular interest to governments and law enforcers around the world. The existence of detailed records of individuals' movements should not automatically facilitate the ability for governments to track their citizens, but in some jurisdictions, laws dictating what government agents must do to obtain location data are either non-existent or out of date.
世界各国政府和执法人员对位置信息也特别感兴趣。个人移动详细记录的存在不应自动促进政府追踪其公民的能力,但在某些管辖区,规定政府机构必须采取哪些行动以获取位置数据的法律要么不存在,要么已经过时。
Traditionally, the extent to which data about individuals enjoys privacy protections on the Internet has largely been decided by the recipients of the data. Internet users may or may not be aware of the privacy practices of the entities with whom they share data. Even if they are aware, they have generally been limited to making a binary choice between sharing data with a particular entity or not sharing it. Internet users have not historically been granted the opportunity to express their own privacy preferences to the recipients of their data and to have those preferences honored.
传统上,个人数据在互联网上享有隐私保护的程度在很大程度上取决于数据的接收者。互联网用户可能知道也可能不知道与其共享数据的实体的隐私做法。即使他们知道,他们通常也只能在与特定实体共享数据或不共享数据之间做出二进制选择。从历史上看,互联网用户没有机会向数据接收者表达自己的隐私偏好,也没有机会尊重这些偏好。
This paradigm is problematic because the interests of data recipients are often not aligned with the interests of data subjects. While both parties may agree that data should be collected, used, disclosed, and retained as necessary to deliver a particular service to the data subject, they may not agree about how the data should otherwise be used. For example, an Internet user may gladly provide his email address on a Web site to receive a newsletter, but he may not want the Web site to share his email address with marketers, whereas the Web site may profit from such sharing. Neither providing the address for both purposes nor deciding not to provide it is an optimal option from the Internet user's perspective.
这种范式是有问题的,因为数据接收者的兴趣往往与数据主体的兴趣不一致。虽然双方可能同意应收集、使用、披露和保留数据,以向数据主体提供特定服务,但可能不同意以其他方式使用数据。例如,互联网用户可能乐意在网站上提供其电子邮件地址以接收时事通讯,但他可能不希望网站与营销人员共享其电子邮件地址,而网站可能会从此类共享中获益。从互联网用户的角度来看,无论是出于两个目的提供地址,还是决定不提供地址,都不是最佳选择。
The Geopriv model departs from this paradigm for privacy protection. As explained above, location information can be uniquely sensitive. And as location-based services emerge and proliferate, they increasingly require standardized protocols for communicating location information between services and entities. Recognizing both of these dynamics, Geopriv gives data subjects the ability to express their choices with respect to their own location information, rather than allowing the recipients of the information to define how it will be used. The combination of heightened privacy risk and the need for standardization compelled the Geopriv designers to shift away from the prevailing Internet privacy model, instead empowering users to express their privacy preferences about the use of their location information.
Geopriv模型背离了这种隐私保护模式。如上所述,位置信息可能是唯一敏感的。随着基于位置的服务的出现和普及,它们越来越需要在服务和实体之间传输位置信息的标准化协议。认识到这两种动态,Geopriv让数据主体能够表达他们对自己位置信息的选择,而不是让信息接收者定义如何使用信息。隐私风险的增加和标准化的需要迫使Geopriv设计师改变了流行的互联网隐私模型,转而授权用户表达他们对位置信息使用的隐私偏好。
Geopriv does not, by itself, provide technical means through which it can be guaranteed that users' location privacy rules will be honored by recipients. The privacy protections in the Geopriv architecture are largely provided by virtue of the fact that recipients of location information are informed of relevant privacy rules, and are expected to only use location information in accordance with those rules. The distributed nature of the architecture inherently limits the degree to which compliance can be guaranteed and verified by technical means. Section 5 describes how some security mechanisms can address this to a limited extent.
Geopriv本身并没有提供技术手段来保证接收者遵守用户的位置隐私规则。Geopriv体系结构中的隐私保护在很大程度上是通过以下事实提供的:位置信息的接收者被告知相关的隐私规则,并且期望仅根据这些规则使用位置信息。体系结构的分布式本质固有地限制了通过技术手段保证和验证法规遵从性的程度。第5节描述了一些安全机制如何在有限的范围内解决这一问题。
By binding privacy rules to location information, however, Geopriv provides valuable information about users' privacy preferences, so that non-technical forces such as legal contracts, governmental consumer protection authorities, and marketplace feedback can better enforce those privacy preferences. If a commercial recipient of location information, for example, violates the location rules bound to the information, the recipient can in a growing number of countries be charged with violating consumer or data protection laws. In the absence of a binding of rules with location information, consumer protection authorities would be less able to protect individuals whose location information has been abused.
然而,通过将隐私规则与位置信息绑定,Geopriv提供了有关用户隐私偏好的宝贵信息,因此法律合同、政府消费者保护机构和市场反馈等非技术力量可以更好地实施这些隐私偏好。例如,如果位置信息的商业接收者违反了与信息相关的位置规则,那么在越来越多的国家,接收者可能会被指控违反消费者或数据保护法。如果没有对位置信息具有约束力的规则,消费者保护机构将无法保护位置信息被滥用的个人。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[1]中所述进行解释。
Throughout the remainder of this document, capitalized terms defined in Section 7 refer to Geopriv-specific roles and formats; the same terms used in all lowercase refer generically to those terms.
在本文件其余部分中,第7节中定义的大写术语指Geopriv的特定角色和格式;所有小写字母中使用的相同术语通常指这些术语。
This section provides an overview of the Geopriv architecture for the secure and private distribution of location information on the Internet. We describe the three phases of the "location life cycle" -- positioning, distribution, and use -- and discuss how the components of the architecture fit within each phase. The next section provides additional detail about how each phase can be achieved in a private and secure manner.
本节概述了Geopriv体系结构,该体系结构用于在互联网上安全和私有地分发位置信息。我们描述了“位置生命周期”的三个阶段——定位、分发和使用——并讨论了架构的组件如何适应每个阶段。下一节将提供有关如何以私有和安全的方式实现每个阶段的更多详细信息。
The risks discussed in the previous section all arise from unauthorized disclosure or usage of location information. Thus, the Geopriv architecture has two fundamental privacy goals:
上一节讨论的风险都来自未经授权的位置信息披露或使用。因此,Geopriv体系结构有两个基本的隐私目标:
1. Ensure that location information is distributed only to authorized entities, and
1. 确保位置信息仅分发给授权实体,以及
2. Provide information to those entities about how they are authorized to use the location information.
2. 向这些实体提供有关其如何被授权使用位置信息的信息。
If these two goals are met, all parties that receive location information will also receive directives about how they can use that information. Privacy-preserving entities will only engage in authorized uses, and entities that violate privacy will do so knowingly, since they have been informed of what is authorized (and thus, implicitly, of what is not).
如果满足这两个目标,所有接收位置信息的各方也将收到关于如何使用该信息的指令。保护隐私的实体只会进行授权使用,侵犯隐私的实体会在知情的情况下这样做,因为他们已经被告知哪些是授权的(因此,隐含地说,哪些不是授权的)。
Privacy rules and their distribution are thus the central technical components of the privacy system, since they inform location recipients about how they are authorized to use that information. The two goals in the preceding paragraph are enabled by two classes of rules:
因此,隐私规则及其发布是隐私系统的核心技术组成部分,因为它们告知位置接收者他们如何被授权使用该信息。上段中的两个目标由两类规则实现:
1. Access control rules: Rules that describe which entities may receive location information and in what form
1. 访问控制规则:描述哪些实体可以接收位置信息以及以何种形式接收位置信息的规则
2. Usage rules: Rules that describe what uses of location information are authorized
2. 使用规则:描述授权使用位置信息的规则
Within this framework for privacy, security mechanisms provide support for the application of privacy rules. For example, authentication mechanisms validate the identities of entities requesting a location (so that authorization and access-control policies can be applied), and confidentiality mechanisms protect location information en route between privacy-preserving entities. Security mechanisms can also provide assurances that are outside the purview of privacy by, for example, assuring location recipients that location information has been faithfully transmitted to them by its creator.
在此隐私框架内,安全机制为隐私规则的应用提供支持。例如,身份验证机制验证请求位置的实体的身份(以便可以应用授权和访问控制策略),保密机制保护隐私保护实体之间路由的位置信息。安全机制还可以提供隐私权范围之外的保证,例如,通过向位置接收者保证位置信息已由其创建者忠实地传输给他们。
As location information is transmitted among Internet hosts, it goes through a "location life cycle": first, the location is computed based on some external information (positioning), and then it is transmitted from one host to another (distribution) until finally it is used by a recipient (use).
当位置信息在Internet主机之间传输时,它会经历一个“位置生命周期”:首先,根据一些外部信息(定位)计算位置,然后从一个主机传输到另一个主机(分发),直到最终被接收者使用(使用)。
For example, suppose Alice is using a mobile device, she learns of her location from a wireless location service, and she wishes to share her location privately with her friends by way of a presence service. Alice clearly needs to provide the presence server with her location and rules about which friends can be provided with her location. To enable Alice's friends to preserve her privacy, they need to be provided with privacy rules. Alice may tell some of her friends the rules directly, or she can have the presence server provide the rules to her friends when it provides them with her location. In this way, every friend who receives Alice's location is authorized by Alice to receive it, and every friend who receives it knows the rules. Good friends will obey the rules. If a bad friend breaks them and Alice finds out, the bad friend cannot claim that he was unaware of the rules.
例如,假设Alice正在使用移动设备,她通过无线定位服务了解自己的位置,并希望通过状态信息服务与朋友私下分享自己的位置。Alice显然需要向状态服务器提供她的位置以及可以向哪些朋友提供她的位置的规则。为了使Alice的朋友能够保护她的隐私,需要为他们提供隐私规则。Alice可以直接告诉她的一些朋友规则,或者她可以让状态服务器在向朋友提供她的位置时向他们提供规则。通过这种方式,每个收到Alice地址的朋友都被Alice授权接收它,并且每个收到它的朋友都知道规则。好朋友会遵守规则。如果一个坏朋友打破了规则,爱丽丝发现了,那么这个坏朋友就不能声称他不知道规则。
Some of Alice's friends will be interested in using Alice's location only for their own purposes, for example, to meet up with her or plot her location over time. The usage rules that they receive direct them as to what they can or cannot do (for example, Alice might not want them keeping her location for more than, say, two weeks).
Alice的一些朋友只会出于自己的目的而使用Alice的位置,例如,与她会面或随着时间的推移规划她的位置。他们收到的使用规则指导他们可以做什么或不能做什么(例如,Alice可能不希望他们将她的位置保留超过两周)。
Consider one friend, Bob, who wants to send Alice's location to some of his friends. To operate in a privacy-protective way, Bob needs not only usage rules for himself, but also access control rules that describe who he can send information to and rules to give to the recipients. If the rules he received from the presence server authorize him to give Alice's location to others, he may do so; otherwise, he will require additional rules from Alice before he is authorized to distribute her location. If recipients who receive Alice's location from Bob want to distribute the location information further, they must go through the same process as Bob.
想想一个朋友鲍伯,他想把爱丽丝的位置寄给他的一些朋友。为了以保护隐私的方式进行操作,Bob不仅需要自己的使用规则,还需要描述他可以向谁发送信息的访问控制规则以及向接收者提供信息的规则。如果他从状态服务器收到的规则授权他将Alice的位置提供给其他人,他可以这样做;否则,在获得授权分发Alice的位置之前,他将要求Alice提供额外的规则。如果从Bob处接收Alice位置的收件人希望进一步分发位置信息,则他们必须经历与Bob相同的过程。
The whole example is illustrated in the following figure:
整个示例如下图所示:
+----------+
| Wireless |
| Location |
| Service | Retrieve
+----------+ Access Control Rules
| +--------------------------------+
| | +--------------------------+ |
Location | | Access | |
| | | Control Rules v |
| | | +-----+
| | | | Bob |
| | | |+---+|--> ...
| | | +----->||PC ||
........... v | | ++---++
| +------+| +----------+ |
| |Mobile|+--Location->| Presence |--Location-->| +----------+
| |Phone || | Server | |---->| Friend-1 |
| +------++---Rules--->| |---Rules---->| +----------+
| Alice | +----------+ |
| O | |
| /|\ | | +----------+
| / \ | +---->| Friend-2 |
`---------' +----------+
+----------+
| Wireless |
| Location |
| Service | Retrieve
+----------+ Access Control Rules
| +--------------------------------+
| | +--------------------------+ |
Location | | Access | |
| | | Control Rules v |
| | | +-----+
| | | | Bob |
| | | |+---+|--> ...
| | | +----->||PC ||
........... v | | ++---++
| +------+| +----------+ |
| |Mobile|+--Location->| Presence |--Location-->| +----------+
| |Phone || | Server | |---->| Friend-1 |
| +------++---Rules--->| |---Rules---->| +----------+
| Alice | +----------+ |
| O | |
| /|\ | | +----------+
| / \ | +---->| Friend-2 |
`---------' +----------+
Figure 1: Basic Geopriv Scenario
图1:基本Geopriv场景
The above example illustrates the six basic roles in the Geopriv architecture:
上述示例说明了Geopriv体系结构中的六个基本角色:
Target: An individual or other entity whose location is sought in the Geopriv architecture. In many cases, the Target will be the human user of a Device, but it can also be an object such as a vehicle or shipping container to which a Device is attached. In some instances, the Target will be the Device itself. The Target is the entity whose privacy Geopriv seeks to protect. Alice is the Target in Figure 1.
目标:在Geopriv架构中寻找其位置的个人或其他实体。在许多情况下,目标将是设备的人类用户,但也可以是设备所连接的对象,如车辆或运输容器。在某些情况下,目标将是设备本身。目标是Geopriv寻求保护其隐私的实体。Alice是图1中的目标。
Device: The physical device, such as a mobile phone, PC, or embedded micro-controller, whose location is tracked as a proxy for the location of a Target. Alice's mobile phone is the Device in Figure 1.
设备:物理设备,如移动电话、PC或嵌入式微控制器,其位置作为目标位置的代理进行跟踪。Alice的手机如图1所示。
Rule Maker (RM): Performs the role of creating rules governing access to location information for a Target. In some cases, the Target performs the Rule Maker role (as is the case with Alice), and in other cases they are separate. For example, a parent may serve as the Rule Maker when the Target is his child, or a corporate security officer may serve as the Rule Maker for devices owned by the corporation but used by employees. The Rule Maker is also not necessarily the owner of the Device. For example, a corporation may provide a Device to an employee but permit the employee to serve as the Rule Maker and set her own privacy rules.
规则制定者(RM):执行创建规则的角色,这些规则管理对目标位置信息的访问。在某些情况下,目标执行规则制定者角色(Alice就是这样),而在其他情况下,它们是分开的。例如,当目标是其子女时,父母可以作为规则制定者,或者公司安全官员可以作为公司拥有但员工使用的设备的规则制定者。规则制定者也不一定是设备的所有者。例如,公司可以向员工提供设备,但允许该员工担任规则制定者并设置自己的隐私规则。
Location Generator (LG): Performs the roles of initially determining or gathering the location of the Device and providing it to Location Servers. Location Generators may be any sort of software or hardware used to obtain the Device's location. Examples include Global Positioning System (GPS) chips and cellular networks. A Device may even perform the Location Generator role for itself; Devices capable of unassisted satellite-based positioning and Devices that accept manually entered location information are two examples. The wireless location service plays the Location Generator role in Figure 1.
位置生成器(LG):执行最初确定或收集设备位置并将其提供给位置服务器的任务。位置生成器可以是用于获取设备位置的任何类型的软件或硬件。例如全球定位系统(GPS)芯片和蜂窝网络。设备甚至可以为自己执行位置生成器角色;两个例子是能够独立进行基于卫星的定位的设备和能够接受手动输入的位置信息的设备。无线位置服务在图1中扮演位置生成器的角色。
Location Server (LS): Performs the roles of receiving location information and rules, applying the rules to the location information to determine what other entities, if any, can receive location information, and providing the location to Location Recipients. Location Servers receive location information from Location Generators and rules from Rule Makers, and then apply the rules to the location information. Location Servers may not necessarily be "servers" in the colloquial sense of hosts in
位置服务器(LS):执行以下任务:接收位置信息和规则,将规则应用于位置信息以确定哪些其他实体(如果有)可以接收位置信息,并将位置提供给位置收件人。位置服务器从位置生成器接收位置信息,从规则制定者接收规则,然后将规则应用于位置信息。位置服务器不一定是计算机中主机的口语意义上的“服务器”
remote data centers servicing requests. Rather, a Location Server can be any software or hardware component that distributes location information. Examples include a server in an access network, a presence server, or a Web browser or other software running on a Device. The above example includes three Location Servers: Alice's mobile phone, the presence service, and Bob's PC.
为请求提供服务的远程数据中心。相反,位置服务器可以是分发位置信息的任何软件或硬件组件。示例包括接入网络中的服务器、状态服务器、Web浏览器或设备上运行的其他软件。上面的示例包括三个位置服务器:Alice的移动电话、状态服务和Bob的PC。
Location Recipient (LR): Performs the role of receiving location information. A Location Recipient may ask for a location explicitly (by sending a query to a Location Server), or it may receive a location asynchronously. The presence service, Bob, Friend-1, and Friend-2 are Location Recipients in Figure 1.
位置接收者(LR):执行接收位置信息的角色。位置接收者可以明确请求位置(通过向位置服务器发送查询),也可以异步接收位置。状态服务Bob、Friend-1和Friend-2是图1中的位置收件人。
In general, these roles may or may not be performed by physically separate entities, as demonstrated by the entities in Figure 1, many of which perform multiple roles. It is not uncommon for the same entity to perform both the Location Generator and Location Server roles, or both the Location Recipient and Location Server roles. A single entity may take on multiple roles simply by virtue of its own capabilities and the permissions provided to it.
通常,这些角色可能由物理上独立的实体执行,也可能不由物理上独立的实体执行,如图1中的实体所示,其中许多实体执行多个角色。同一实体同时执行位置生成器和位置服务器角色,或同时执行位置收件人和位置服务器角色的情况并不少见。一个实体可以仅仅凭借其自身的能力和提供给它的权限来承担多个角色。
Although in the above example there is only a single Location Generator and a single Rule Maker, in some cases a Location Server may receive Location Objects from multiple Location Generators or Rules from multiple Rule Makers. Likewise, a single Location Generator may publish location information to multiple Location Servers, and a single Location Recipient may receive Location Objects from multiple Location Servers.
尽管在上面的示例中只有一个位置生成器和一个规则生成器,但在某些情况下,位置服务器可能会从多个位置生成器接收位置对象或从多个规则生成器接收规则。类似地,单个位置生成器可以将位置信息发布到多个位置服务器,并且单个位置接收者可以从多个位置服务器接收位置对象。
There is a close relationship between a Target and its Device. The term "Device" is used when discussing protocol interactions, whereas the term "Target" is used when discussing generically the person or object being located and its privacy. While in the example above there is a one-to-one relationship between the Target and the Device, Geopriv can also be used to convey location information about a device that is not directly linked to a single individual or object, such as a Device shared by multiple individuals.
目标与其设备之间有着密切的关系。术语“设备”用于讨论协议交互,而术语“目标”用于一般讨论所定位的人或对象及其隐私。虽然在上面的示例中,目标和设备之间存在一对一的关系,但Geopriv还可用于传送关于未直接链接到单个个人或对象的设备的位置信息,例如由多个个人共享的设备。
Two data formats are necessary within this architecture:
此体系结构中需要两种数据格式:
Location Object (LO): An object used to convey location information together with Privacy Rules. Geopriv supports both geodetic location data (latitude, longitude, altitude, etc.) and civic location data (street, city, state, etc.). Either or both types of location information may be present in a single LO (see the considerations in [5] for LOs containing multiple locations). Location Objects typically include some sort of identifier of the Target.
位置对象(LO):用于传递位置信息和隐私规则的对象。Geopriv支持大地测量位置数据(纬度、经度、海拔等)和城市位置数据(街道、城市、州等)。一个LO中可能存在一种或两种类型的位置信息(对于包含多个位置的LO,请参见[5]中的注意事项)。位置对象通常包括目标的某种标识符。
Privacy Rule: A directive that regulates an entity's activities with respect to location information, including the collection, use, disclosure, and retention of the location information. Privacy Rules describe which entities may obtain location information in what form (access control rules) and how location information may be used by an entity (usage rules).
隐私规则:一项指令,规定实体在位置信息方面的活动,包括位置信息的收集、使用、披露和保留。隐私规则描述哪些实体可以以何种形式获取位置信息(访问控制规则)以及实体如何使用位置信息(使用规则)。
The whole example, using Geopriv roles and formats, is illustrated in the following figure:
下图显示了使用Geopriv角色和格式的整个示例:
+----+
| LG |
+----+
^
|
Positioning
Data
|
| +------------Privacy Rules------------------>+----+
| | +---->| LR |--> ...
| | | | LS |
v | | +----+
+-------+ |
|Target | +----+ | +----+
|Device |--------------->| LR |---------------+---->| LR |
| RM | LO | LS | LO | +----+
| LS | +----+ |
+-------+ |
| +----+
+---->| LR |
+----+
+----+
| LG |
+----+
^
|
Positioning
Data
|
| +------------Privacy Rules------------------>+----+
| | +---->| LR |--> ...
| | | | LS |
v | | +----+
+-------+ |
|Target | +----+ | +----+
|Device |--------------->| LR |---------------+---->| LR |
| RM | LO | LS | LO | +----+
| LS | +----+ |
+-------+ |
| +----+
+---->| LR |
+----+
Figure 2: Basic Geopriv Scenario
图2:基本Geopriv场景
The previous section gave an example of how an individual's location can be distributed through the Internet. In general, the location life cycle breaks down into three phases:
上一节举例说明了如何通过互联网分发个人的位置。通常,位置生命周期分为三个阶段:
1. Positioning: A Location Generator determines the Device's location.
1. 定位:位置生成器确定设备的位置。
2. Distribution: Location Servers send location information to Location Recipients, which may in turn act as Location Servers and further distribute the location to other Location Recipients, possibly several times.
2. 分发:位置服务器将位置信息发送给位置收件人,而位置收件人又可能充当位置服务器,并将位置进一步分发给其他位置收件人,可能会分发多次。
3. Use: A Location Recipient receives the location and uses it.
3. 使用:位置收件人接收并使用该位置。
Each of these phases involves a different set of Geopriv roles, and each has a different set of privacy and security implications. The Geopriv roles are mapped onto the location life cycle in the figure below.
每个阶段都涉及一组不同的Geopriv角色,每个阶段都有一组不同的隐私和安全含义。Geopriv角色映射到下图中的位置生命周期。
+----------+
| Rule |+
| Maker(s)||
Positioning | ||
Data +----------+|
| +----------+
| | Rules
| |
| |
V V
+----------+ +----------+ +----------+
|Location | Location | Location |+ LO |Location |
|Generator |--------------->| Server(s)||-------------->|Recipient |
| | | || | |
+----------+ +----------+| +----------+
+----------+
<-------------------------><---------------------------><----------->
Positioning Distribution Use
+----------+
| Rule |+
| Maker(s)||
Positioning | ||
Data +----------+|
| +----------+
| | Rules
| |
| |
V V
+----------+ +----------+ +----------+
|Location | Location | Location |+ LO |Location |
|Generator |--------------->| Server(s)||-------------->|Recipient |
| | | || | |
+----------+ +----------+| +----------+
+----------+
<-------------------------><---------------------------><----------->
Positioning Distribution Use
Figure 3: Location Life Cycle
图3:位置生命周期
Positioning is the process by which the physical location of the Device is computed, based on some observations about the Device's situation in the physical world. (This process goes by several other names, including Location Determination or Sighting.) The input to the positioning process is some information about the Device, and the outcome is that the LG knows the location of the Device.
定位是根据对设备在物理世界中的情况的一些观察,计算设备物理位置的过程。(这个过程有几个其他名称,包括定位或瞄准。)定位过程的输入是关于设备的一些信息,结果是LG知道设备的位置。
In this section, we give a brief taxonomy of current positioning systems, their requirements for protocol support, and the privacy and security requirements for positioning.
在本节中,我们将简要介绍当前定位系统的分类、它们对协议支持的要求以及定位的隐私和安全要求。
While the specific positioning mechanisms that can be applied for a given Device are strongly dependent on the physical situation and capabilities of the Device, these mechanisms generally fall into the three categories described in detail below:
虽然可应用于给定设备的特定定位机制强烈依赖于设备的物理状况和能力,但这些机制通常分为以下三类:
o Device-based
o 基于设备
o Network-based
o 基于网络的
o Network-assisted
o 网络辅助
As suggested by the above names, a positioning scheme can rely on the Device, an Internet-accessible resource (not necessarily a network operator), or a combination of the two. For a given scheme, the nature of this reliance will dictate the protocol mechanisms needed to support it.
如上述名称所示,定位方案可以依赖于设备、互联网可访问资源(不一定是网络运营商)或两者的组合。对于给定的方案,这种依赖的性质将决定支持它所需的协议机制。
With Device-based positioning mechanisms, the Device is capable of determining its location by itself. This is the case for a manually entered location or for (unassisted) satellite-based positioning using a Global Navigation Satellite System (GNSS). In these cases, the Device acts as its own LG, and there are no protocols required to support positioning beyond those that transmit the positioning data from the satellite to the user.
通过基于设备的定位机制,设备能够自行确定其位置。对于手动输入的位置或使用全球导航卫星系统(GNSS)的基于卫星的(无辅助)定位,情况就是如此。在这些情况下,该设备充当其自己的LG,并且除了那些将定位数据从卫星传输给用户的协议外,不需要任何支持定位的协议。
In network-based positioning schemes, an external LG (an Internet host other than the Device) has access to sufficient information about the Device, through out-of-band channels, to establish the position of the Device. The most common examples of this type of LG are entities that have a physical relationship to the Device (such as ISPs). In wired networks, wiremap-based location is a network-based technique; in wireless networks, timing and signal-strength-based techniques that use measurements from base stations are considered to be network-based. Large-scale IP-to-geo databases (for example, those based on WHOIS data or latency measurements) are also considered to be network-based positioning mechanisms.
在基于网络的定位方案中,外部LG(设备以外的互联网主机)可以通过带外信道访问关于设备的足够信息,以确定设备的位置。此类LG最常见的例子是与设备有物理关系的实体(如ISP)。在有线网络中,基于wiremap的定位是一种基于网络的技术;在无线网络中,使用来自基站的测量的基于定时和信号强度的技术被认为是基于网络的。大规模IP-to-geo数据库(例如,基于WHOIS数据或延迟测量的数据库)也被认为是基于网络的定位机制。
For network-based positioning as for Device-based, no protocols for communication between the Device and the LG are strictly necessary to support positioning, since positioning information is collected outside of the location distribution system (at lower layers of the network stack, for example). This does not rule out the use of other Internet protocols (like the Simple Network Management Protocol (SNMP)) to collect inputs to the positioning process. Rather, since these inputs can only be used by certain LGs to determine location, they are not controlled as private information. Network-based
对于基于网络的定位,与基于设备的定位一样,设备和LG之间的通信协议对于支持定位是绝对必要的,因为定位信息是在位置分配系统之外收集的(例如,在网络堆栈的较低层)。这并不排除使用其他互联网协议(如简单网络管理协议(SNMP))来收集定位过程的输入。相反,由于这些输入只能由某些LGs用于确定位置,因此它们不作为私人信息进行控制。基于网络的
positioning often provides location information to protocols by which the network informs a Device of its own location. These are known as Location Configuration Protocols; see Section 4.2.2 for further discussion.
定位通常向协议提供位置信息,网络通过这些协议通知设备自己的位置。这些被称为位置配置协议;进一步讨论见第4.2.2节。
Network-assisted systems account for the greatest number and diversity of positioning schemes. In these systems, the work of positioning is divided between the Device and an external LG via some communication (possibly over the Internet), typically in one of two ways:
网络辅助系统占据了定位方案的最大数量和多样性。在这些系统中,定位工作通过某种通信(可能通过互联网)在设备和外部LG之间分配,通常采用以下两种方式之一:
o The Device provides measurements to the LG, or
o 设备向LG提供测量值,或
o The LG provides assistance data to the Device.
o LG向设备提供辅助数据。
"Measurements" are understood to be observations about the Device's environment, ranging from wireless signal strengths to the Media Access Control (MAC) address of a first-hop router. "Assistance" is the complement to measurement, namely the positioning information that enables the computation of location based on measurements. A set of wireless base station locations (or wireless calibration information) would be an assistance datum, as would be a table that maps routers to buildings in a corporate campus.
“测量”被理解为对设备环境的观察,范围从无线信号强度到第一跳路由器的媒体访问控制(MAC)地址。“辅助”是对测量的补充,即能够基于测量计算位置的定位信息。一组无线基站位置(或无线校准信息)将是一个辅助数据,就像一个将路由器映射到公司校园内建筑物的表格一样。
For example, wireless and wired networks can serve as the basis for network-assisted positioning. In several current 802.11 positioning systems, the Device sends measurements (e.g., MAC addresses and signal strengths) to an LG, and the LG returns a location to the client. In wired networks, the Device can send its MAC address to the LG, which can query the MAC-layer infrastructure to determine the switch and port to which that MAC address is connected, then query a wire map to determine the location at which the wire connected to that port terminates.
例如,无线和有线网络可以作为网络辅助定位的基础。在一些当前的802.11定位系统中,设备向LG发送测量值(例如MAC地址和信号强度),LG向客户端返回位置。在有线网络中,设备可以向LG发送其MAC地址,LG可以查询MAC层基础设施以确定该MAC地址连接到的交换机和端口,然后查询接线图以确定连接到该端口的导线的终止位置。
As an aside, the common phrase "assisted GPS" ("assisted GNSS" more broadly) actually encompasses techniques that transmit both measurements and assistance data. Systems in which the Device provides the LG with GNSS measurements are measurement-based, while those in which the assistance server provides ephemeris or almanac data are assistance-based in the above terminology. (Those familiar with GNSS positioning will note that there are of course cases in which both of these interactions occur within a single location determination protocol, so the categories are not mutually exclusive.)
另一方面,“辅助全球定位系统”(更广泛地说是“辅助全球导航卫星系统”)这一常用短语实际上包括传输测量数据和辅助数据的技术。设备向LG提供全球导航卫星系统测量的系统是基于测量的,而协助服务器提供星历或历书数据的系统是基于上述术语的协助。(熟悉全球导航卫星系统定位的人会注意到,当然,在某些情况下,这两种相互作用都发生在一个位置确定协议中,因此这些类别并不相互排斥。)
Naturally, the exchange of measurement or positioning data between the Device and the LG requires a protocol over which the information is carried. The structure of this protocol will depend on which of
当然,设备和LG之间的测量或定位数据交换需要一个承载信息的协议。该协议的结构将取决于以下哪种协议:
the two patterns a network-assisted scheme follows. Conversely, the structure of the protocol will determine which of the two parties (the Device, the LG, or both) is aware of the Device's location at the end of the protocol interaction.
网络辅助方案遵循两种模式。相反,协议的结构将确定双方(设备、LG或两者)中的哪一方在协议交互结束时知道设备的位置。
Positioning is the first point at which location may be associated with a particular Device and may be associated with the Target's identity. Local identifiers, unlinked pseudonyms, or private identifiers that are not linked to the real identity of the Target should be used as forms of identity whenever possible. This provides privacy protection by disassociating the location from the Target's identity before it is distributed.
定位是第一个点,在该点位置可以与特定设备相关联,并且可以与目标的身份相关联。本地标识符、未链接的假名或未链接到目标真实身份的私有标识符应尽可能用作身份的形式。这通过在分发位置之前解除位置与目标身份的关联来提供隐私保护。
At the conclusion of the positioning process, the entity acting as the LG has the Device's location. If the Device is performing the LG role, then both the Device and LG have it. If the entity acting as the LG also performs the role of LS, the privacy considerations in Section 4.2.4 apply.
定位过程结束时,作为LG的实体拥有设备的位置。如果设备正在执行LG角色,则设备和LG都具有该角色。如果作为LG的实体也担任LS,则第4.2.4节中的隐私注意事项适用。
In some deployment scenarios, positioning functions and distribution functions may need to be provided by separate entities, in which case the LG and LS roles will not be performed by the same entity. In this situation, the LG acts as a "dumb", non-privacy-aware positioning resource, and the LS provides the privacy logic necessary to support distribution (possibly with multiple LSes using the same LG). In order to allow the privacy-unaware LG to distribute location information to these LSes while maintaining privacy, the relationship between the LG and its set of LSes MUST be tightly constrained (effectively "hard-wired"). That is, the LG MUST only provide location information to a small fixed set of LSes, and each of these LSes MUST comply with the requirements of Section 4.2.4.
在某些部署场景中,定位功能和分发功能可能需要由单独的实体提供,在这种情况下,LG和LS角色将不由同一实体执行。在这种情况下,LG充当“哑”的、无隐私意识的定位资源,LS提供支持分发所需的隐私逻辑(可能多个LSE使用同一LG)。为了让不了解隐私的LG在维护隐私的同时向这些LSE分发位置信息,LG与其LSE组之间的关系必须受到严格约束(实际上是“硬连接”)。也就是说,LG必须只向一小部分固定的LSE提供位置信息,并且每个LSE必须符合第4.2.4节的要求。
Manipulation of the positioning process can expose location information through two mechanisms:
定位过程的操纵可通过两种机制公开位置信息:
1) A third party could guess or derive measurements about a specific device and use them to get the location of that Device. To mitigate this risk, the LG SHOULD be able to authenticate and authorize devices providing measurements and, if possible, verify that the presented measurements are likely to be the actual physical values measured by that client. These security procedures rely on the type of positioning being done, and may not be technically feasible in all cases.
1) 第三方可以猜测或得出特定设备的测量值,并使用它们来获取该设备的位置。为降低此风险,LG应能够认证和授权提供测量的设备,并在可能的情况下验证所提供的测量值可能是该客户测量的实际物理值。这些安全程序取决于正在进行的定位类型,在所有情况下可能在技术上都不可行。
2) By eavesdropping, a third party may be able to obtain measurements sent by the Device itself that indicate the rough position of the Device. To mitigate this risk, protocols used for positioning MUST provide confidentiality and integrity protections in order to prevent observation and modification of transmitted positioning data while en route between the Target and the LG.
2) 通过窃听,第三方可能能够获得设备本身发送的指示设备大致位置的测量值。为了降低这一风险,用于定位的协议必须提供保密性和完整性保护,以防止在目标和LG之间的途中观察和修改传输的定位数据。
If an LG or a Target chooses to act as an LS, it inherits the security requirements for an LS, described in Section 4.2.5.
如果LG或目标公司选择充当LS,则其将继承第4.2.5节所述的LS安全要求。
When an entity receives location information (from an LG or an LS) and redistributes it to other entities, it acts as an LS. Location Distribution is the process by which one or more LSes provide LOs to LRs in a privacy-preserving manner.
当实体接收到位置信息(来自LG或LS)并将其重新分发给其他实体时,它将充当LS。位置分配是一个或多个LSE以保护隐私的方式向LRs提供服务水平的过程。
The role of an LS is thus two-fold: First, it must collect location information and Rules that control access to that information. Rules can be communicated within an LO, within a protocol that carries LOs, or through a separate protocol that carries Rules. Second, the LS must process requests for location information and apply the Rules to these requests in order to determine whether it is authorized to fulfill them by returning location information.
因此,LS的作用有两个方面:首先,它必须收集位置信息和控制对该信息访问的规则。规则可以在LO内、承载LO的协议内或通过承载规则的单独协议进行通信。其次,LS必须处理位置信息请求,并将规则应用于这些请求,以确定是否有权通过返回位置信息来完成这些请求。
An LS thus has at least two types of interactions with other hosts, namely receiving and sending LOs. An LS may optionally implement a third interaction, allowing Rule Makers to provision it with Rules. The distinction between these two cases is important in practice, because it determines whether the LS has a direct relationship with a Rule Maker: An LS that accepts Rules directly from a Rule Maker has such a relationship, while an LS that acquires all its Rules through LOs does not.
因此,LS与其他主机之间至少有两种类型的交互,即接收和发送LOs。LS可以选择性地实现第三个交互,允许规则制定者为其提供规则。这两种情况之间的区别在实践中很重要,因为它决定了LS是否与规则制定者有直接关系:直接接受规则制定者规则的LS具有这种关系,而通过LOs获取其所有规则的LS则不具有这种关系。
Privacy Rules are the central mechanism in Geopriv for maintaining a Target's privacy, because they provide a recipient of an LO (an LS or LR) with information on how the LO may be used.
隐私规则是Geopriv中维护目标隐私的核心机制,因为它们为LO(LS或LR)的接收者提供了有关如何使用LO的信息。
Throughout the Geopriv architecture, Privacy Rules are communicated in rules languages with a defined syntax and semantics. For example, the Common Policy rules language has been defined [6] to provide a framework for broad-based rule specifications. Geopriv Policy [7] defines a language for creating location-specific rules. The XML Configuration Access Protocol (XCAP) [8] can be used as a protocol to install rules in both of these formats.
在整个Geopriv体系结构中,隐私规则以规则语言(具有定义的语法和语义)进行通信。例如,定义了公共策略规则语言[6],为基础广泛的规则规范提供了框架。Geopriv策略[7]定义了用于创建位置特定规则的语言。XML配置访问协议(XCAP)[8]可用作协议来安装这两种格式的规则。
Privacy Rules follow a default-deny pattern: an empty set of Rules implies that all requests for location information should be denied, except requests made by the Target itself. Each Rule adds to the set, granting a specific permission. Adding a Rule can only augment privacy protections because all Rules are positive grants of permission.
隐私规则遵循默认的拒绝模式:一组空规则意味着应该拒绝对位置信息的所有请求,但目标本身发出的请求除外。每个规则都会添加到集合中,并授予特定的权限。添加规则只能增强隐私保护,因为所有规则都是正向授予的权限。
The following are examples of Privacy Rules governing location distribution:
以下是管理位置分布的隐私规则示例:
o Retransmit location information when requested from example.com.
o 从example.com请求时重新传输位置信息。
o Retransmit only city and country.
o 仅重新传输城市和国家。
o Retransmit location information with no less than a 100-meter radius of uncertainty.
o 在不确定半径不小于100米的情况下重新传输位置信息。
o Retransmit location information only for the next two weeks.
o 仅在接下来的两周内重新传输位置信息。
LSes enforce Privacy Rules in two ways: by denying requests for location information, or by transforming the location information before retransmitting it.
LSE通过两种方式实施隐私规则:拒绝位置信息请求,或在重新传输位置信息之前转换位置信息。
LSes may also receive Rules governing location retention, such as "Retain location only for 48 hours". Such Rules are simply directives about how long the Target's location information can be retained.
伦敦证交所还可能收到管理地点保留的规则,如“仅保留地点48小时”。这些规则只是关于目标位置信息可以保留多长时间的指令。
Privacy Rules can govern the behavior of both LSes and LRs. Rules that direct LSes about how to treat a Target's location information are known as Local Rules. Local Rules are used internally by the LS to handle requests from LRs. They are not distributed to LRs.
隐私规则可以控制LSE和LRs的行为。指导LSE如何处理目标位置信息的规则称为本地规则。本地规则由LS在内部用于处理来自LRs的请求。它们不分发给LRs。
Forwarded Rules, on the other hand, travel inside LOs and direct LSes and LRs about how to handle the location information they receive. Because the Rules themselves may reveal potentially sensitive information about the Target, only the minimal subset of Forwarded Rules necessary to handle the LO is distributed.
另一方面,转发规则在服务水平内运行,并指导LSE和LRs如何处理接收到的位置信息。由于规则本身可能会揭示有关目标的潜在敏感信息,因此仅分发处理LO所需的转发规则的最小子集。
An example can illustrate the interaction between Local Rules and Forwarded Rules. Suppose Alice provides the following Local Rules to an LS:
示例可以说明本地规则和转发规则之间的交互。假设Alice向LS提供以下本地规则:
o The LS may retransmit Alice's precise location to Bob, who in turn is permitted to retain the location information for one month.
o LS可以将Alice的精确位置重新传输给Bob,Bob可以将位置信息保留一个月。
o The LS may retransmit Alice's city, state, and country to Steve, who in turn is permitted to retain the location information for one hour.
o LS可以将Alice的城市、州和国家重新传输给Steve,Steve可以保留位置信息一小时。
o The LS may retransmit Alice's country to a photo-sharing Web site, which in turn is permitted to retain the location information for one year and retransmit it to any requesters.
o LS可以将Alice的国家/地区重新传输到照片共享网站,该网站允许将位置信息保留一年,并将其重新传输给任何请求者。
When Steve asks for Alice's location, the LS can transmit to Steve the limited location information (city, state, and country) along with Forwarded Rules instructing Steve to (a) not further retransmit Alice's location information, and (b) only retain the location information for one hour. By only sending these specifically applicable Forwarded Rules to Steve (as opposed to the full set of Local Rules), the LS is protecting Alice's privacy by not disclosing to Steve that (for example) Alice allows Bob to obtain more precise location information than Alice allows Steve to receive.
当Steve询问Alice的位置时,LS可以向Steve发送有限的位置信息(城市、州和国家)以及转发的规则,指示Steve(a)不再重新传输Alice的位置信息,以及(b)仅保留位置信息一小时。LS只向Steve发送这些特别适用的转发规则(与全套本地规则相反),不向Steve透露(例如)Alice允许Bob获得比Alice允许Steve接收的更精确的位置信息,以此保护Alice的隐私。
Geopriv is designed to be usable even by devices with constrained processing capabilities. To ensure that Forwarded Rules can be processed on constrained devices, LOs are required to carry only a limited set of Forwarded Rules, with an option to reference a more robust set of external Rules. The limited Rule set covers two privacy aspects: how long the Target's location may be retained ("Retention"), and whether or not the Target's location may be retransmitted ("Retransmission"). An LO may contain a pointer to more robust Rules, such as those shown in the set of four Rules at the beginning of this section.
Geopriv设计为即使是处理能力受限的设备也可以使用。为确保转发规则可在受约束的设备上处理,服务水平仅需携带一组有限的转发规则,并可选择引用一组更可靠的外部规则。有限规则集涵盖两个隐私方面:目标位置可以保留多长时间(“保留”),以及目标位置是否可以重新传输(“重新传输”)。LO可能包含指向更健壮规则的指针,如本节开头的四条规则集所示。
Some entities performing the LG role are designed only to provide Targets with their own locations, as opposed to distributing a Target's location to others. The process of providing a Target with its own location is known within Geopriv as Location Configuration. The term "Location Information Server" (LIS) is often used to describe the entity that performs this function. However, a LIS may also perform other functions, such as providing a Target's location to other entities.
某些执行LG角色的实体仅设计为向目标提供其自己的位置,而不是将目标的位置分发给其他实体。为目标提供其自身位置的过程在Geopriv中称为位置配置。术语“位置信息服务器”(LIS)通常用于描述执行此功能的实体。然而,LIS还可以执行其他功能,例如向其他实体提供目标的位置。
A Location Configuration Protocol (LCP) [9] is one mechanism that can be used by a Device to discover its own location from a LIS. LCPs provide functions in the way they obtain, transport, and deliver location requests and responses between a LIS and a Device such that the LIS can trust that the location requests and responses handled via the LCP are in fact from/to the Target. Several LCPs have been developed within Geopriv [10] [11] [12] [13].
位置配置协议(LCP)[9]是一种设备可用于从LIS中发现其自身位置的机制。LCP以其在LIS和设备之间获取、传输和传递位置请求和响应的方式提供功能,以便LIS可以相信通过LCP处理的位置请求和响应实际上是从/到目标的。Geopriv[10][11][12][13]内开发了多个LCP。
A LIS whose sole purpose is to perform Location Configuration need only follow a simple privacy-preserving policy: transmit a Target's location only to the Target itself. This is known as the "LCP policy".
仅用于执行位置配置的LIS只需遵循一个简单的隐私保护策略:仅将目标位置传输给目标本身。这被称为“LCP政策”。
Importantly, if an LS is also serving in the role of LG and it has not been provisioned with Privacy Rules for a particular Target, it MUST follow the LCP policy, whether it is a LIS or not. In the positioning phase, an entity serving the roles of both LG and LS that has not received Privacy Rules must follow this policy. The same is true for any LS in the distribution phase.
重要的是,如果LS同时担任LG的角色,且未为特定目标提供隐私规则,则无论其是否为LIS,都必须遵守LCP政策。在定位阶段,同时担任LG和LS角色且未收到隐私规则的实体必须遵守本政策。分布阶段的任何LS也是如此。
The location distribution process occurs through a series of transmissions of LOs: transmissions of location "by value". Location "by value" can be expressed in terms of geodetic location data (latitude, longitude, altitude, etc.) and civic location data (street, city, state, etc.).
位置分配过程通过一系列服务水平传输发生:位置“按价值”传输。位置“按值”可以用大地测量位置数据(纬度、经度、海拔等)和城市位置数据(街道、城市、州等)表示。
A location can also be distributed "by reference", where a reference is represented by a URI that can be dereferenced to obtain the LO. This document summarizes the properties of location-by-reference that are discussed at length in [14].
还可以“通过引用”分发位置,其中引用由URI表示,URI可以被解引用以获得LO。本文件总结了参考文献中详细讨论的位置属性。
Distribution of location-by-reference (distribution of location URIs) offers several benefits. Location URIs are a more compact way of transmitting location information, since URIs are usually smaller than LOs. A recipient of location information can make multiple requests to a URI over time to receive updated location information if the URI is configured to provide a fresh location rather than a single "snapshot".
按引用分发位置(分发位置URI)有几个好处。位置URI是传输位置信息的一种更紧凑的方式,因为URI通常比LOs小。如果将URI配置为提供新位置而不是单个“快照”,则位置信息的接收者可以随时间向URI发出多个请求以接收更新的位置信息。
From a positioning perspective, location-by-reference can offer the additional benefit of "just in time" positioning. If a location is distributed by reference, an entity acting as a combined LG/LS only needs to perform positioning operations when a recipient dereferences a previously distributed URI.
从定位的角度来看,参考定位可以提供“及时”定位的额外好处。如果位置是通过引用分发的,则当收件人取消引用以前分发的URI时,充当组合LG/LS的实体只需要执行定位操作。
From a privacy perspective, distributing a location as a URI instead of as an LO can help protect privacy by forcing each recipient of the location to request location information from the referenced LS, which can then apply access controls individually to each recipient. But the benefit provided here is contingent on the LS applying access controls. If the LS does not apply an access control policy to requests for a location URI (in other words, if it enforces the "possession model" defined in [14]), then transmitting a location URI presents the same privacy risks as transmitting the LO itself. Moreover, the use of location URIs without access controls can introduce additional privacy risks: If URIs are predictable, an attacker to whom the URI has not been sent may be able to guess the URI and use it to obtain the referenced LO. To mitigate this, location URIs without access controls need to be constructed so that they contain a random component with sufficient entropy to make guessing infeasible.
从隐私角度来看,将位置作为URI而不是LO分发有助于保护隐私,方法是强制位置的每个收件人从引用的LS请求位置信息,然后LS可以对每个收件人单独应用访问控制。但是这里提供的好处取决于LS应用访问控制。如果LS不对位置URI的请求应用访问控制策略(换句话说,如果LS强制执行[14]中定义的“占有模型”),则传输位置URI与传输LO本身具有相同的隐私风险。此外,在没有访问控制的情况下使用位置URI可能会带来额外的隐私风险:如果URI是可预测的,未向其发送URI的攻击者可能会猜测URI并使用它获取引用的LO。为了缓解这种情况,需要构造没有访问控制的位置URI,以便它们包含具有足够熵的随机组件,从而使猜测不可行。
Location information MUST be accompanied by Rules throughout the distribution process. Otherwise, a recipient will not know what uses are authorized, and will not be able to use the LO. Consequently, LOs MUST be able to express Rules that convey appropriate authorizations.
在整个分发过程中,位置信息必须附有规则。否则,收件人将不知道授权的用途,并且将无法使用LO。因此,服务水平必须能够表达传达适当授权的规则。
An LS MUST only accept Rules from authorized Rule Makers. For an LS that receives Rules exclusively in LOs and has no direct relationship with a Rule Maker, this requirement is met by applying the Rules provided in an LO to the distribution of that LO. For an LS with a direct relationship to a Rule Maker, this requirement means that the LS MUST be configurable with an RM authorization policy. An LS SHOULD define a prescribed set of RMs that may provide Rules for a given Target or LO. For example, an LS may only allow the Target to set Rules for itself, or it might allow an RM to set Rules for several Targets (e.g., a parent for children, or a corporate security officer for employees).
LS只能接受来自授权规则制定者的规则。对于仅在LO中接收规则且与规则制定者没有直接关系的LS,通过将LO中提供的规则应用于该LO的分发来满足此要求。对于与规则制定者有直接关系的LS,此要求意味着必须使用RM授权策略配置LS。LS应定义一组规定的RMs,这些RMs可为给定目标或LO提供规则。例如,LS可能只允许目标为自己设置规则,或者它可能允许RM为多个目标(例如,为子女设置家长,或为员工设置公司安全官员)设置规则。
No matter how Rules are provided to an LS, for each LO it receives, it MUST combine all Rules that apply to the LO into a Rule set that defines which transmissions are authorized, and it MUST transmit location information only in ways that are authorized by these Rules.
无论规则如何提供给LS,对于它接收到的每个LO,它必须将适用于LO的所有规则组合成一个规则集,该规则集定义哪些传输被授权,并且它必须仅以这些规则授权的方式传输位置信息。
An LS that receives Rules exclusively through LOs MUST examine the Rules that accompany a given LO in order to determine how the LS may use the LO. If any Rules are included by reference, the LS SHOULD attempt to download them. If the LO includes no Rules that allow the LS to transmit the LO to another entity, then the LS MUST NOT transmit the LO. If the LO contains no Rules at all -- for example,
仅通过LO接收规则的LS必须检查给定LO附带的规则,以确定LS如何使用LO。如果通过引用包含任何规则,则LS应尝试下载这些规则。如果LO不包括允许LS将LO传输至另一实体的规则,则LS不得传输LO。如果LO根本不包含任何规则,例如,
if it is in a format with no Rules syntax -- then the LS MUST delete it. Emergency services provide an exception in that Rules can be implicit; see [15]). If the LO included Rules by reference, but these Rules were not obtained for any reason, the LS MUST NOT transmit the LO and MUST adhere to the provided value in the retention-expires field.
如果它的格式没有规则语法,那么LS必须删除它。应急服务提供了一个例外,因为规则可能是隐含的;见[15])。如果LO通过引用包含规则,但由于任何原因未获取这些规则,则LS不得传输LO,并且必须遵守retention expires字段中提供的值。
An LS that receives Rules both directly from one or more Rule Makers and through LOs MUST combine the Rules in a given LO with Rules it has received from the RMs. The strategy the LS uses to combine these sets of Rules is a matter for local policy, depending on the relative priority that the LS grants to each source of Rules. Some example policies are:
直接从一个或多个规则制定者和通过LO接收规则的LS必须将给定LO中的规则与其从RMs接收的规则相结合。LS用于组合这些规则集的策略取决于本地策略,取决于LS授予每个规则源的相对优先级。一些示例政策包括:
Union: A transmission of location information is authorized if it is authorized by either a rule in the LO or an RM-provided rule.
联合:如果位置信息的传输是由LO中的规则或RM提供的规则授权的,则该传输是授权的。
Intersection: A transmission of location information is authorized if it is authorized by both a rule in the LO and an RM-provided rule.
交叉口:如果位置信息的传输由LO中的规则和RM提供的规则授权,则该位置信息的传输是授权的。
RM Override: A transmission of location information is authorized if it is authorized by an RM-provided rule, regardless of the LO Rules.
RM覆盖:如果位置信息的传输是由RM提供的规则授权的,则无论LO规则如何,都会被授权。
LO Override: A transmission of location information is authorized if it is authorized by an LO-provided rule, regardless of the RM Rules.
LO覆盖:如果位置信息的传输是由LO提供的规则授权的,则无论RM规则如何,位置信息的传输都是授权的。
The default combination policy for an LS that receives multiple rule sets is to combine them according to procedures in Section 10 of RFC 4745 [6]. Privacy rules always grant access; i.e., the default is to deny access, and rules specify conditions under which access is allowed. Thus, when an LS is provided more than one policy document that applies to a given LO, it has been instructed to provide access when any of the rules apply. That is, the "Union" policy is the default policy for an LS with multiple sources of policy. An LS MAY choose to apply a more restrictive policy by ignoring some of the grants of permission in the privacy rules provided. The "Intersection" policy and both "Override" policies listed above are of this latter character.
接收多个规则集的LS的默认组合策略是根据RFC 4745[6]第10节中的程序组合它们。隐私规则总是允许访问;i、 例如,默认设置是拒绝访问,规则指定允许访问的条件。因此,当向LS提供多个适用于给定LO的策略文档时,已指示其在任何规则适用时提供访问。也就是说,“联合”策略是具有多个策略源的LS的默认策略。LS可以通过忽略所提供的隐私规则中的某些许可授予来选择应用更具限制性的策略。上面列出的“交叉点”策略和两个“覆盖”策略都属于后一种性质。
Protocols that are used for managing rules should allow an RM to retrieve from the LS the set of rules that will ultimately be applied. For example, in the basic HTTP-based protocol defined in [16], an RM can use a GET request to retrieve the policy being applied by the LS and a PUT request to specify new rules.
用于管理规则的协议应允许RM从LS检索最终将应用的规则集。例如,在[16]中定义的基于HTTP的基本协议中,RM可以使用GET请求检索LS应用的策略,并使用PUT请求指定新规则。
Different policies may be applicable in different scenarios. In cases where an external RM is more trusted than the source of the LO, the "RM Override" policy may be suitable (for example, if the external RM is the Target and the LO is provided by a third party). Conversely, the "LO Override" policy is better suited to cases where the LO provider is more trusted than the RM, for example, if the RM is the user of a mobile device LS and the LO contains Rules from the RM's parents or corporate security office. The "Intersection" policy takes the strictest view of the permission grants, giving equal weight to all RMs (including the LO creator).
不同的策略可能适用于不同的场景。在外部RM比LO源更受信任的情况下,“RM覆盖”策略可能适用(例如,如果外部RM是目标,而LO由第三方提供)。相反,“LO覆盖”策略更适合于LO提供者比RM更受信任的情况,例如,如果RM是移动设备LS的用户,并且LO包含来自RM的父母或公司安全办公室的规则。“交叉点”策略对许可授予采取最严格的观点,给予所有RM(包括LO创建者)同等的权重。
Each of these policies will also have different privacy consequences. Following the "Intersection" policy ensures that the most privacy-protective subset of all RMs' rules will be followed. The "Union" policy and both "Override" policies may defy the expectations of any RM (including, potentially, the Target) whose policy is not followed. For example, if a Target acting as an RM sets Rules and those Rules are overridden by the application of a more permissive LO Override policy that has been set by the Target's parent or employer acting as an RM, the retransmission or retention of the Target's data may come as a surprise to the Target. For this reason, it is RECOMMENDED that LSes provide a way for RMs to be able to find out which policy will be applied to the distribution of a given LO.
这些政策中的每一项都会产生不同的隐私后果。遵循“交叉点”策略可确保遵守所有RMs规则中最具隐私保护的子集。“联盟”政策和两种“覆盖”政策可能会违背其政策未得到遵守的任何RM(可能包括目标公司)的期望。例如,如果作为RM的目标公司设置了规则,并且这些规则被作为RM的目标公司的母公司或雇主设置的更宽松的LO覆盖策略的应用所覆盖,则目标公司的数据的重新传输或保留可能会让目标公司感到意外。因此,建议LSE为RM提供一种方法,以便能够找出将应用于给定LO分发的策略。
An LS's decisions about how to transmit a location are based on the identities of entities requesting information and other aspects of requests for a location. In order to ensure that these decisions are made properly, the LS needs assurance of the reliability of information on the identities of the entities with which the LS interacts (including LRs, LSes, and RMs) and other information in the request.
LS关于如何传输位置的决定基于请求信息的实体的身份和位置请求的其他方面。为了确保正确做出这些决策,LS需要确保与LS交互的实体(包括LRs、LSE和RMs)的身份信息以及请求中的其他信息的可靠性。
Protocols to convey LOs and protocols to convey Rules MUST provide information on the identity of the recipient of location information and the identity of the RM, respectively. In order to ensure the validity of this information, these protocols MUST allow for mutual authentication of both parties, and MUST provide integrity protection for protocol messages. These security features ensure that the LG has sufficient information (and sufficiently reliable information) to make privacy decisions.
传达LOs的协议和传达规则的协议必须分别提供关于位置信息接收者身份和RM身份的信息。为了确保该信息的有效性,这些协议必须允许双方相互认证,并且必须为协议消息提供完整性保护。这些安全功能确保LG拥有足够的信息(以及足够可靠的信息)来做出隐私决策。
As they travel through the Internet, LOs necessarily pass through a sequence of intermediaries, ranging from layer-2 switches to IP routers to application-layer proxies and gateways. The ability of an LS to protect privacy by making access control decisions is reduced if these intermediaries have access to an LO as it travels between privacy-preserving entities.
当它们通过互联网时,LOs必须通过一系列中介,从第二层交换机到IP路由器,再到应用层代理和网关。如果这些中间人能够在LO在隐私保护实体之间移动时访问LO,则LS通过作出访问控制决策来保护隐私的能力会降低。
Ideally, LOs SHOULD be transmitted with confidentiality protection end-to-end between an LS that transmits location information and the LR that receives it. In some cases, the protocol conveying an LO provides confidentiality protection as a built-in security solution for its signaling (and potentially its data traffic). In this case, carrying an unprotected LO within such an encrypted channel is sufficient. Many protocols, however, are offering communication modes where messages are either unprotected or protected on a hop-by-hop basis (for example, between intermediaries in a store-and-forward protocol). In such a case, it is RECOMMENDED that the protocol allow for the use of encrypted LOs, or for the transmission of a reference to a location in place of an LO [14].
理想情况下,LOs应在传输位置信息的LS和接收位置信息的LR之间进行端到端的保密保护传输。在某些情况下,传输LO的协议提供机密性保护,作为其信令(以及潜在的数据流量)的内置安全解决方案。在这种情况下,在这样一个加密信道中携带一个未受保护的LO就足够了。然而,许多协议都提供了通信模式,其中消息要么不受保护,要么逐跳受到保护(例如,在存储转发协议的中间层之间)。在这种情况下,建议协议允许使用加密的LO,或允许传输对某个位置的引用以代替LO[14]。
The primary privacy requirement of an LR is to constrain its usage of location information to the set of uses authorized by the Rules in an LO. If an LR only uses an LO in ways that have minimal privacy impact -- specifically, if it does not transmit the LO to any other entity, and does not retain the LO for longer than is required to complete its interaction with the LS -- then no further action is necessary for the LR to comply with Geopriv requirements.
LR的主要隐私要求是将其位置信息的使用限制为LO中规则授权的一组使用。如果LR仅以对隐私影响最小的方式使用LO——具体而言,如果它不将LO传输给任何其他实体,并且LO的保留时间不超过完成与LS的交互所需的时间——则LR无需采取进一步的行动来遵守Geopriv要求。
As an example of this simplest case, if an LR (a) receives a location, (b) immediately provides to the Target information or a service based on the location, (c) does not retain the information, and (d) does not retransmit the location to any other entity, then the LR will comply with any set of Rules that are permissible under Geopriv. Thus, a service that, for example, only provides directions to the closest bookstore in response to an input of a location, and promptly then discards the input location, will be in compliance with any Geopriv Rule set.
作为最简单情况的一个示例,如果LR(a)接收到位置,(b)立即向目标提供基于位置的信息或服务,(c)不保留信息,并且(d)不将位置重新传输给任何其他实体,则LR将遵守Geopriv允许的任何规则集。因此,一项服务,例如,仅响应位置输入而向最近的书店提供方向,然后立即丢弃输入位置,将符合任何Geopriv规则集。
LRs that make other uses of an LO (e.g., those that store LOs or send them to other service providers to obtain location-based services) MUST meet the requirements below to assure that these uses are authorized.
对LO进行其他用途的LR(例如,存储LO或将LO发送给其他服务提供商以获得基于位置的服务的LR)必须满足以下要求,以确保这些用途得到授权。
The principal privacy requirement for LRs is to follow usage rules. Any LR that wants to retransmit or retain the LO is REQUIRED to examine the rules included with that LO. Any usage the LR makes of the LO MUST be explicitly authorized by these Rules. Since Rules are positive grants of permission, any action not explicitly authorized is denied by default.
LRs的主要隐私要求是遵守使用规则。任何想要重新传输或保留LO的LR都需要检查该LO中包含的规则。LR对LO的任何使用必须得到这些规则的明确授权。由于规则是对权限的正向授予,因此默认情况下拒绝任何未明确授权的操作。
Since the LR role does not involve transmission of location information, there are no protocol security considerations required to support privacy, other than ensuring that data does not leak unintentionally due to security breaches.
由于LR角色不涉及位置信息的传输,因此除了确保数据不会因安全漏洞而意外泄漏之外,不需要考虑支持隐私的协议安全因素。
Aside from privacy, LRs often require some assurance that an LO is reliable (assurance of the integrity, authenticity, and validity of an LO), since LRs use LOs in order to deliver location-based services. Threats against this reliability, and corresponding mitigations, are discussed in "Security Considerations" below.
除了隐私之外,LRs通常需要确保LO是可靠的(保证LO的完整性、真实性和有效性),因为LRs使用LO来提供基于位置的服务。针对这种可靠性的威胁以及相应的缓解措施将在下面的“安全注意事项”中讨论。
Security considerations related to the privacy of LOs are discussed throughout this document. In this section, we summarize those concerns and consider security risks not related to privacy.
本文件中讨论了与LOs隐私相关的安全注意事项。在这一节中,我们总结这些关注点,并考虑与隐私无关的安全风险。
The life cycle of an LO often consists of a series of location transmissions. Protocols that carry location information can provide strong assurances, but only for a single segment of the LO's life cycle. In particular, a protocol can provide integrity protection and confidentiality for the data exchanged, and mutual authentication of the parties involved in the protocol, by using a secure transport such as IPSec [17] or Transport Layer Security (TLS) [18].
LO的生命周期通常由一系列位置传输组成。携带位置信息的协议可以提供强有力的保证,但仅限于LO生命周期的一个部分。具体而言,协议可以通过使用诸如IPSec[17]或传输层安全性(TLS)[18]之类的安全传输,为交换的数据提供完整性保护和机密性,并为协议中涉及的各方提供相互认证。
Additionally, if (1) the protocol provides mutual authentication for every segment, and (2) every entity in the location distribution chain exchanges information only with entities with whom it has a trust relationship, entities can transitively obtain assurances regarding the origin and ultimate destination of the LO. Of course, direct assurances are always preferred over assurances requiring transitive trust, since they require fewer assumptions.
此外,如果(1)协议为每个段提供相互认证,并且(2)位置分配链中的每个实体仅与其具有信任关系的实体交换信息,则实体可以传递地获得关于LO的起源和最终目的地的保证。当然,直接保证总是优先于需要传递性信任的保证,因为它们需要的假设更少。
Using protocol mechanisms alone, the entities can receive assurances only about a single hop in the distribution chain. For example, suppose that an LR receives location information from an LS over an integrity- and confidentiality-protected channel. The LR knows that
仅使用协议机制,实体只能在分发链中获得关于单跳的保证。例如,假设LR通过完整性和机密性保护通道从LS接收位置信息。LR知道这一点
the transmitted LO has not been modified or observed en route. However, the assurances provided by the protocol do not guarantee that the transmitted LO was not corrupted before it was sent to the LS (by a previous LS, for example). Likewise, the LR can verify that the LO was transmitted by the LS, but cannot verify the origin of the LO if it did not originate with the LS.
传输的LO在途中未被修改或观察到。但是,协议提供的保证不能保证传输的LO在发送到LS(例如,由前一个LS)之前没有损坏。同样,LR可以验证LO是否由LS发送,但如果LO不是由LS发送的,则无法验证LO的来源。
Security mechanisms in protocols are thus unable to provide direct assurances over multiple transmissions of an LO. However, the transmission of a location "by reference" can be used to effectively turn multi-hop paths into single-hop paths. If the multiple transmissions of an LO are replaced by multiple transmissions of a URI (a multi-hop dissemination channel), the LO need only traverse a single hop, namely the dereference transaction between the LR and the dereference server. The requirements for securing a location passed by reference [14] are applicable in this case.
因此,协议中的安全机制无法对LO的多个传输提供直接保证。然而,“通过引用”位置的传输可用于有效地将多跳路径转变为单跳路径。如果LO的多个传输被URI(多跳传播信道)的多个传输替换,则LO只需要遍历单个跳,即LR和解引用服务器之间的解引用事务。在这种情况下,通过参考文献[14]确定位置的要求适用。
The major threats to the security of LOs can be grouped into two categories. First, threats against the integrity and authenticity of LOs can expose entities that rely on LOs. Second, threats against the confidentiality of LOs can allow unauthorized access to location information.
对当地办事处安全的主要威胁可分为两类。首先,对LOs完整性和真实性的威胁可能会暴露依赖LOs的实体。第二,对LOs保密性的威胁可允许未经授权访问位置信息。
An LO contains four essential types of information: identifiers for the described Target, location information, timestamps, and Rules. By grouping values of these various types together within a single structure, an LO encodes a set of bindings among them. That is, the LO asserts that the identified Target was present at the given location at the given time and that the given Rules express the Target's desired policy at that time for the distribution of his location. Below, we provide a description of the assurances required by each party involved in the location distribution in order to mitigate the possible attacks on these bindings.
LO包含四种基本类型的信息:所描述目标的标识符、位置信息、时间戳和规则。通过在单个结构中将这些不同类型的值分组在一起,LO对它们之间的一组绑定进行编码。也就是说,LO断言所识别的目标在给定的时间存在于给定的位置,并且给定的规则表示目标在该时间对于其位置的分布的期望策略。下面,我们将描述参与位置分发的各方所需的保证,以减轻对这些绑定的可能攻击。
Rule Maker: The Rule Maker is responsible for creating the Target's Privacy Rules and for uploading them to the LSes. The primary assurance required by the Rule Maker is that the Target's Privacy Rules are correctly associated with the Target's identity when they are conveyed to each LS that handles the LO. Ensuring the integrity of the Privacy Rules distributed to the LSes prevents rule-tampering attacks. In many circumstances, the privacy policy of the Target may itself be sensitive information; in these cases, the Rule Maker also requires the assurance that the binding between the Target's identity and the Target's Privacy Rules are not deducible by anyone other than an authorized LS.
规则制定者:规则制定者负责创建目标公司的隐私规则并将其上传至LSE。规则制定者要求的主要保证是,当目标的隐私规则被传送到处理LO的每个LS时,目标的隐私规则与目标的身份正确关联。确保分发给LSE的隐私规则的完整性可防止规则篡改攻击。在许多情况下,目标公司的隐私政策本身可能是敏感信息;在这些情况下,规则制定者还需要确保目标身份和目标隐私规则之间的约束不可由授权LS以外的任何人推断。
Location Server: The Location Server is responsible for enforcing the Target's Privacy Rules. The first assurance required by the LS is that the binding between the Target's Privacy Rules and the Target's identity is authentic. Authenticating and authorizing the Rule Maker who creates, updates, and deletes the Privacy Rules prevents rule-tampering attacks. The LS has to ensure that the authorization policies are not exposed to third parties, if so desired by the Rule Maker and when the rules themselves are privacy-sensitive.
位置服务器:位置服务器负责执行目标的隐私规则。LS要求的第一个保证是目标隐私规则和目标身份之间的绑定是真实的。对创建、更新和删除隐私规则的规则制定者进行身份验证和授权可防止规则篡改攻击。LS必须确保授权策略不会暴露给第三方,如果规则制定者需要,并且当规则本身对隐私敏感时。
Location Recipient: The Location Recipient is the consumer of the LO. The LR thus requires assurances about the authenticity of the bindings between the Target's location, the Target's identity, and the time. Ensuring the authenticity of these bindings helps to prevent various attacks, such as falsifying the location, modifying the timestamp, faking the identity, and replaying LOs.
地点接收者:地点接收者是LO的消费者。因此,LR需要保证目标位置、目标身份和时间之间绑定的真实性。确保这些绑定的真实性有助于防止各种攻击,例如伪造位置、修改时间戳、伪造身份和重播LOs。
Location Generator: The primary assurance required by the Location Generator is that the LS to which the LO is initially published is one that is trusted to enforce the Target's Privacy Rules. Authenticating the trusted LS mitigates the risk of server impersonation attacks. Additionally, the LG is responsible for the location determination process, which is also sensible from a security perspective because wrong input provided by external entities can lead to undesirable disclosure or access to location information.
位置生成器:位置生成器要求的主要保证是,LO最初发布到的LS是一个受信任的LS,可以强制执行目标的隐私规则。对受信任的LS进行身份验证可降低服务器模拟攻击的风险。此外,LG负责位置确定过程,这从安全角度来看也是合理的,因为外部实体提供的错误输入可能导致位置信息的不当披露或访问。
Assurances as to the integrity and confidentiality of a Location Object can be provided directly through the LO format. RFC 4119 [19] provides a description for the usage of Secure/Multipurpose Internet Mail Extensions (S/MIME) to integrity and confidentiality protection. Although such direct, end-to-end assurances are desirable, and these mechanisms should be used whenever possible, there are many deployment scenarios where directly securing an LO is impractical. For example, in some deployment scenarios a direct trust relationship may not exist between the creator of the Location Object and the recipient. Additionally, in a scenario where many recipients are authorized to receive a given LO, the creator of the LO cannot guarantee end-to-end confidentiality without knowing precisely which recipient will receive the LO. Many of these cases can, however, be addressed by the usage of a location-by-reference mechanism, possibly combined with an LO.
可以通过LO格式直接提供位置对象的完整性和机密性保证。RFC 4119[19]提供了使用安全/多用途Internet邮件扩展(S/MIME)来保护完整性和机密性的说明。尽管这种直接的、端到端的保证是可取的,并且应尽可能使用这些机制,但在许多部署场景中,直接保护LO是不切实际的。例如,在某些部署场景中,位置对象的创建者和收件人之间可能不存在直接信任关系。此外,在多个收件人被授权接收给定LO的情况下,LO的创建者无法保证端到端的机密性,而不知道哪个收件人将接收LO。然而,其中许多情况可以通过使用按引用定位机制(可能与LO结合)来解决。
This section contains a set of examples of how the Geopriv architecture can be deployed in practice. These examples are meant to illustrate key points of the architecture, rather than to form an exhaustive set of use cases.
本节包含如何在实践中部署Geopriv体系结构的一组示例。这些示例旨在说明体系结构的关键点,而不是形成一组详尽的用例。
For convenience and clarity in these examples, we assume that the Privacy Rules that an LO carries are equivalent to those in a Presence Information Data Format Location Object (PIDF-LO) [19] -- namely, that the principal Rules that can be set are limits on the retransmission and retention of the LO. While these two Rules are the most well-known and important examples, the specific types of Rules an LS or LR must consider will in general depend on the types of LOs it processes.
为了这些示例中的方便和清晰,我们假设LO携带的隐私规则等同于存在信息数据格式位置对象(PIDF-LO)[19]中的隐私规则——即,可以设置的主要规则是对LO的重传和保留的限制。虽然这两个规则是最著名和最重要的例子,但是LS或LR必须考虑的特定类型的规则通常取决于LOs IT过程的类型。
One of the simplest scenarios in the Geopriv architecture is when a Device determines its own location and uses that LO to request a service (e.g., by including the LO in an HTTP POST request [20] or SIP INVITE message [21]), and the server delivers that service immediately (e.g., in a 200 OK response in HTTP or SIP), without retaining or retransmitting the Device's location. The Device acts as an LG by using a Device-based positioning algorithm (e.g., manual entry) and as an LS by interpreting the rule and transmitting the LO. The Target acts as a Rule Maker by specifying that the location should be sent to the server. The server acts as an LR by receiving and using the LO.
Geopriv体系结构中最简单的场景之一是当设备确定其自身位置并使用该LO请求服务(例如,通过在HTTP POST请求[20]或SIP INVITE消息[21]中包括LO),并且服务器立即交付该服务(例如,在HTTP或SIP中的200 OK响应中),无需保留或重新传输设备的位置。该设备通过使用基于设备的定位算法(例如,手动输入)充当LG,并通过解释规则和传输LO充当LS。目标作为规则制定者,指定应将位置发送到服务器。服务器通过接收和使用LO来充当LR。
In this case, the privacy of location information is maintained in two steps: The first step is that the location is only transmitted as directed by the single Rule Maker, namely the Target. The second step is simply the fact that the server, as LR, does not do anything that creates a privacy risk -- it does not retain or retransmit the location. Because the server limits its behavior in this way, it does not need to read the Rules in the LO, even though they were provided -- no Rule would prevent it from using the location in this safe manner.
在这种情况下,位置信息的隐私性通过两个步骤来维护:第一步是仅按照单个规则制定者(即目标)的指示传输位置。第二步很简单,服务器作为LR不会做任何会造成隐私风险的事情——它不会保留或重新传输位置。因为服务器以这种方式限制其行为,所以它不需要读取LO中的规则,即使提供了这些规则——任何规则都不会阻止它以这种安全的方式使用位置。
The following outline summarizes this scenario:
以下概要总结了该场景:
o Positioning: Device-based, Device=LG
o 定位:基于设备,设备=LG
o Distribution hop 1: HTTP User Agent (UA) --> Ephemeral Web service, privacy via user indication
o 分发跃点1:HTTP用户代理(UA)-->短暂的Web服务,通过用户指示的隐私
o Use: Ephemeral Web service delivers response without retaining or retransmitting location
o 用途:短暂的Web服务在不保留或重新传输位置的情况下提供响应
o Key point:
o 重点:
* LRs that do not behave in ways that risk privacy are Geopriv-compliant by default. No further action is necessary.
* 默认情况下,不存在隐私风险的LR符合Geopriv。无需采取进一步行动。
Many location-based services are delivered over the Web, using Javascript code to orchestrate a series of HTTP requests for location-specific information. To support these applications, browser extensions have been developed that support Device-based positioning (manual entry and Global Positioning System (GPS)) and network-assisted positioning (via Assisted GPS (AGPS), and multilateration with 802.11 and cellular signals), exposing a location to Web pages through Javascript APIs.
许多基于位置的服务都是通过Web交付的,使用Javascript代码协调一系列针对特定位置信息的HTTP请求。为了支持这些应用程序,开发了浏览器扩展,支持基于设备的定位(手动输入和全球定位系统(GPS))和网络辅助定位(通过辅助GPS(AGPS)和802.11和蜂窝信号的多向定位),通过Javascript API向网页公开位置。
In this scenario, we consider a Target that uses a browser with a network-assisted positioning extension. When the Target uses this browser to request location-based services from a Web page, the browser prompts the user to grant the page permission to access the user's location. If the user grants permission, the browser extension sends 802.11 signal strength measurements to a positioning server, which then returns the position of the host. The extension constructs an LO with this location and Rules set by the user, then passes the LO to the page through its Javascript API. The page then obtains location-relevant information using an XMLHttpRequest [22] to a server in the same domain as the page and renders this information to the user.
在这种情况下,我们考虑使用网络辅助定位扩展的浏览器的目标。当目标使用此浏览器从网页请求基于位置的服务时,浏览器会提示用户授予该网页访问用户位置的权限。如果用户授予权限,浏览器扩展将802.11信号强度测量发送到定位服务器,然后定位服务器返回主机的位置。扩展使用此位置和用户设置的规则构造LO,然后通过其Javascript API将LO传递给页面。然后,页面使用XMLHttpRequest[22]向与页面位于同一域中的服务器获取位置相关信息,并将此信息呈现给用户。
At first blush, this scenario seems much more complicated than the minimal scenario above. However, most of the privacy considerations are actually the same.
乍一看,这个场景似乎比上面的最小场景复杂得多。然而,大多数隐私考虑实际上是相同的。
The positioning phase in this scenario begins when the browser extension contacts the positioning server. The positioning server acts as an LG.
此场景中的定位阶段在浏览器扩展与定位服务器联系时开始。定位服务器充当LG。
The distribution phase actually occurs entirely within the Target host. This phase begins when the positioning server, now acting as an LS, follows the LCP policy by providing the location only to the Target. The next hop in distribution occurs when the browser extension (an entity under the control of the Target) passes an LO to the Web page (an entity under the control of its author). In this phase, the browser extension acts as an LS, with the Target as the sole Rule Maker; the user interface for rule-making is effectively a
分发阶段实际上完全发生在目标主机内。当定位服务器(现在充当LS)遵循LCP策略,只向目标提供位置时,此阶段开始。当浏览器扩展(由目标控制的实体)将LO传递给网页(由其作者控制的实体)时,会发生下一跳分发。在此阶段,浏览器扩展充当LS,目标作为唯一的规则制定者;规则制定的用户界面实际上是一个
protocol for conveying Rules, and the extension's API effectively defines a way to communicate LOs and an LO format. The Web site acts as an LR when the Web page accepts the LO.
传输规则的协议,以及扩展的API有效地定义了通信LOs和LO格式的方法。当网页接受LO时,网站充当LR。
The use phase encompasses the Web site's use of the LO. In this context, the phrase "Web site" encompasses not only the Web page, but also the dedicated supporting logic behind it. Considering the entire Web site as a recipient, rather than a single page, it becomes clear that sending the LO in an XMLHttpRequest to a back-end server is like passing it to a separate component of the LR, as opposed to retransmitting it to another entity. Thus, even in this case, where location-relevant information is obtained from a back-end server, the LR does not retain or retransmit the location, so its behavior is "privacy-safe" -- it doesn't need to interpret the Rules in the LO.
使用阶段包括网站对LO的使用。在这种情况下,“网站”一词不仅包括网页,还包括其背后的专用支持逻辑。将整个网站视为收件人,而不是单个页面,很明显,将XMLHttpRequest中的LO发送到后端服务器就像将其传递到LR的单独组件,而不是将其重新传输到另一个实体。因此,即使在这种情况下,位置相关信息是从后端服务器获得的,LR也不会保留或重新传输位置,因此其行为是“隐私安全的”——它不需要解释LO中的规则。
However, consider a variation on this scenario where the Web page requests additional information (a map, for instance) from a third-party site. In this case, since location information is being transmitted to a third party, the Web site (either in the Web page or in a back-end server) would need to verify that this transmission is allowed by the LO's Privacy Rules. Similarly, if the site wanted to log the user's location information, then it would need to examine the LO to determine how long this information can be retained. In such a case, if the LR needs to do something that is not allowed by the Rules, it may have to deny service to the user, while hopefully providing a message with the reason. Nonetheless, if the Rules permit retention or retransmission, even if this retransmission is limited by access control rules, then the LR may do so to the extent the Rules allow.
然而,考虑这种情况下,Web页面请求来自第三方站点的附加信息(例如,地图)的变化。在这种情况下,由于位置信息正在传输给第三方,网站(在网页中或在后端服务器中)需要验证LO的隐私规则是否允许此传输。类似地,如果站点想要记录用户的位置信息,则需要检查LO以确定该信息可以保留多长时间。在这种情况下,如果LR需要做一些规则不允许的事情,它可能必须拒绝向用户提供服务,同时希望提供一条带有原因的消息。然而,如果规则允许保留或重传,即使该重传受到访问控制规则的限制,LR也可以在规则允许的范围内这样做。
The following outline summarizes this scenario:
以下概要总结了该场景:
o Positioning: Network-assisted, positioning server=LG
o 定位:网络辅助,定位服务器=LG
o Rule installation: RM (=Target) gives permission to sites and sets LO Rules
o 规则安装:RM(=目标)授予站点权限并设置LO规则
o Distribution hop 1: positioning server=LS --> Target, privacy via LCP policy
o 分发跃点1:定位服务器=LS-->目标,通过LCP策略保护隐私
o Distribution hop 2: Browser=LS --> Web site=LR, privacy via user confirmation
o 分发跃点2:浏览器=LS-->网站=LR,通过用户确认实现隐私
o Use: Back-end server delivers location-relevant information without further retransmission, then deletes location; privacy via safe behavior
o 用途:后端服务器无需进一步重传即可传递位置相关信息,然后删除位置;通过安全行为保护隐私
o Key points:
o 要点:
* Privacy in this scenario is provided by a combination of explicit user direction and Rules in an LO.
* 此场景中的隐私由LO中明确的用户方向和规则的组合提供。
* Distribution can occur within a host, between components that do not trust each other.
* 分发可以发生在主机内,也可以发生在互不信任的组件之间。
* Some transmissions of the location are actually internal to an LR.
* 该位置的某些传输实际上是LR内部的。
* LRs that do things that might be constrained by Rules need to verify that these actions are allowed for a particular LO.
* 执行可能受规则约束的操作的LR需要验证特定LO是否允许这些操作。
Support for emergency calls by Voice-over-IP devices is a critical use case for location information about Internet hosts. The details of the Internet architecture for emergency calling are described in [23] [24]. In this architecture, there are three critical steps in the placement of an emergency call, each involving location information:
通过IP语音设备支持紧急呼叫是有关Internet主机位置信息的关键用例。[23][24]中详细介绍了紧急呼叫的互联网架构。在此体系结构中,紧急呼叫的放置有三个关键步骤,每个步骤都涉及位置信息:
1. Determine the location of the caller.
1. 确定调用者的位置。
2. Determine the proper Public Safety Answering Point (PSAP) for the caller's location.
2. 为呼叫者的位置确定适当的公共安全应答点(PSAP)。
3. Send a SIP INVITE message, including the caller's location, to the PSAP.
3. 向PSAP发送SIP INVITE消息,包括呼叫者的位置。
The first step in an emergency call is to determine the location of the caller. This step is the positioning phase of the location life cycle. The location is determined by whatever means are available to the caller's device, or to the network, if this step is being done by a proxy. The entity doing the positioning, whether the caller or a proxy, acts as an LS, preserving the privacy of location information by only including it in emergency calls.
紧急呼叫的第一步是确定呼叫者的位置。此步骤是定位生命周期的定位阶段。如果此步骤由代理完成,则通过呼叫方设备或网络可用的任何方式确定位置。进行定位的实体(无论是呼叫者还是代理)充当LS,通过仅在紧急呼叫中包含位置信息来保护位置信息的隐私。
The second step in an emergency call encompasses location distribution and use. The entity that is routing the emergency call sends location information through the Location-to-Service Translation (LoST) Protocol [15] to a mapping server. In this role, the routing entity acts as an LS and the LoST server acts as an LR. The LO format within LoST does not allow Rules to be sent along with the location, but because LoST is an application-specific protocol, the sending of the location within a LoST message authorizes the LoST server to use the location to complete the protocol, namely to route
紧急呼叫的第二步包括位置分配和使用。路由紧急呼叫的实体通过位置到服务转换(丢失)协议[15]向映射服务器发送位置信息。在这个角色中,路由实体充当LS,丢失的服务器充当LR。LoST中的LO格式不允许将规则与位置一起发送,但由于LoST是一个特定于应用程序的协议,因此在LoST消息中发送位置授权丢失的服务器使用位置来完成协议,即路由
the message as necessary through the LoST mapping architecture [25]. That is, the LoST server is authorized to complete the LoST protocol, but to do nothing else.
必要时,通过丢失的映射体系结构将消息删除[25]。也就是说,丢失的服务器被授权完成丢失的协议,但不执行其他操作。
The third step in an emergency call is again a combination of distribution and use. The caller, or another entity that inserts the caller's location, acts as an LS, and the PSAP acts as an LR. In this specific example, the caller's location is transmitted either as a PIDF-LO or as a reference that returns a PIDF-LO, or both; in the latter case, the reference should be appropriately protected so that only the PSAP has access. In any case, the receipt of an LO implies that the PSAP should obey the Rules in those LOs in order to preserve privacy. Depending on the regulatory environment, the PSAP may have the option to ignore those constraints in order to respond to an emergency, or it may be bound to respect these Rules in spite of the emergency situation.
紧急呼叫的第三步也是分发和使用的结合。调用者或插入调用者位置的其他实体充当LS,PSAP充当LR。在这个具体示例中,调用方的位置要么作为PIDF-LO发送,要么作为返回PIDF-LO的引用发送,或者两者都发送;在后一种情况下,应该适当地保护引用,以便只有PSAP可以访问。在任何情况下,收到LO意味着PSAP应遵守这些LO中的规则,以保护隐私。根据监管环境的不同,PSAP可以选择忽略这些约束以应对紧急情况,也可以在紧急情况下遵守这些规则。
The following outline summarizes this scenario:
以下概要总结了该场景:
o Positioning: Any
o 定位:任何
o Distribution/use hop 1: Target=LS --> LoST infrastructure (no Rules), privacy via authorization implicit in protocol
o 分发/使用跃点1:Target=LS-->丢失的基础结构(无规则),通过协议中隐含的授权实现隐私
o Distribution/use hop 2: Target=LS --> PSAP, privacy via Rules in LO
o 分发/使用跃点2:Target=LS-->PSAP,通过LO中的规则保护隐私
o Use: PSAP uses location to deliver emergency services
o 用途:PSAP使用位置提供紧急服务
o Key points:
o 要点:
* Privacy in this scenario is provided by a combination of explicit user direction, implicit authorization particular to a protocol, and Rules in an LO.
* 此场景中的隐私由显式用户指示、特定于协议的隐式授权和LO中的规则的组合提供。
* LRs may be constrained to respect or ignore Privacy Rules by local regulation.
* 当地法规可能会限制LRs遵守或忽略隐私规则。
In modern Internet applications, users frequently receive information via one channel and broadcast it via another. In this sense, both users and channels (e.g., Web services) become LSes. Here we consider a more complex example that illustrates this pattern across multiple logical hops.
在现代互联网应用中,用户经常通过一个频道接收信息,并通过另一个频道进行广播。从这个意义上讲,用户和渠道(如Web服务)都成为LSE。这里我们考虑一个更复杂的例子,它说明了跨越多个逻辑跳数的这种模式。
Suppose Alice as the Target subscribes to a wireless ISP that determines her location using a network-based positioning technique, e.g., via the location of the base station serving the Target, and provides that information directly to a location-enhanced presence provider. This presence provider might use SIP, the Extensible Messaging and Presence Protocol (XMPP) [26], or another protocol). The location-enhanced presence provider allows Alice to specify Rules for how this location is distributed: which friends should receive Alice's location and what Rules they should get with it. Alice uses a few other location-enhanced services as well, so she sends Rules that allow her location to be shared with those services, and that allow those services to retain and retransmit her location.
假设Alice作为目标订阅无线ISP,该ISP使用基于网络的定位技术(例如,通过服务于目标的基站的位置)确定她的位置,并将该信息直接提供给位置增强型存在提供商。此状态提供程序可能使用SIP、可扩展消息和状态协议(XMPP)[26]或其他协议)。位置增强的状态提供程序允许Alice指定如何分发此位置的规则:哪些朋友应该接收Alice的位置,以及他们应该从中获得哪些规则。Alice还使用了一些其他位置增强服务,因此她发送规则,允许她的位置与这些服务共享,并允许这些服务保留和重新传输她的位置。
Bob is one of Alice's friends, and he receives her location via this location-enhanced presence service. Noting that she's at their favorite coffee shop, Bob wants to upload a photo of the two of them at the coffee shop to a photo-sharing site, along with an LO that marks the location. Bob checks the Rules in Alice's LO and verifies that the photo-sharing site is one of the services that Alice authorized. Seeing that Alice has authorized him to give the LO to the photo-sharing site, he attaches it to the photo and uploads it.
Bob是Alice的朋友之一,他通过此位置增强的状态信息服务接收她的位置信息。注意到她在他们最喜欢的咖啡店,鲍勃想把他们两人在咖啡店的照片上传到一个照片分享网站,并附上一个标记位置的LO。Bob检查Alice的LO中的规则,并验证照片共享站点是Alice授权的服务之一。看到Alice授权他将LO提供给照片共享站点,他将LO附加到照片并上传。
Once the geo-tagged photo is uploaded, the photo-sharing site reads the Rules in the LO and verifies that the site is authorized to store the photo and to share it with others. Since Alice has allowed the site to retransmit and retain without any constraints, the site fulfills Bob's request to make the geo-tagged photo publicly accessible.
上传带有地理标记的照片后,照片共享网站将阅读LO中的规则,并验证该网站是否有权存储照片并与其他人共享。由于Alice允许站点在没有任何限制的情况下重新传输和保留,因此该站点满足了Bob的要求,可以公开访问带有地理标记的照片。
Eve, another user of the photo-sharing site, downloads the photo of Alice and Bob at the coffee shop and receives Alice's LO along with it. Eve posts the photo and location to her public page on a social networking site without checking the Rules, even though the LO doesn't allow Eve to send the location anywhere else. The social networking site, however, observes that no retransmission or retention are allowed, both of which it needs for a public posting, and rejects the upload.
照片分享网站的另一位用户Eve在咖啡店下载了Alice和Bob的照片,并收到了Alice的LO。Eve在社交网站的公共页面上发布了照片和位置,但没有检查规则,即使LO不允许Eve将位置发送到其他地方。然而,该社交网站发现,不允许重新传输或保留信息,这两种信息都需要公开发布,并拒绝上传。
In terms of the location life cycle, this scenario consists of a positioning step, followed by four distribution hops and use. Positioning is the simplest step: An LG in Alice's ISP monitors her location and transmits it to the presence service, maintaining privacy by only transmitting the location information to a single entity to which Alice has delegated privacy responsibilities.
就位置生命周期而言,此场景包括定位步骤,然后是四个分发跃点和使用。定位是最简单的步骤:Alice的ISP中的LG监控她的位置并将其传输到状态服务,通过仅将位置信息传输给Alice授权隐私责任的单个实体来维护隐私。
The first distribution hop occurs when the presence server sends the location to Bob. In this transaction, the presence server acts as an LS, Alice acts as an RM, and Bob acts as an LR. The privacy of this transaction is assured by the fact that Alice has installed Rules on the presence server that dictate who it may allow to access her location. The second distribution hop is when Bob uploads the LO to the photo-sharing site. Here Bob acts as an LS, preserving the privacy of location information by verifying that the Rules in the LO allow him to upload it. The third distribution hop is when the photo-sharing site sends the LO to Eve, likewise following the Rules -- but a different set of Rules than for Bob, since an LO can specify different Rule sets for different LSes.
当状态服务器将位置发送给Bob时,会发生第一个分发跃点。在此事务中,状态服务器充当LS,Alice充当RM,Bob充当LR。Alice在状态服务器上安装了规则,规定允许谁访问她的位置,这一事实确保了此交易的隐私。第二个分发跃点是Bob将LO上传到照片共享站点的时候。在这里,Bob充当LS,通过验证LO中的规则是否允许他上传位置信息来保护位置信息的隐私。第三个分发跃点是照片共享站点向Eve发送LO时,同样遵循规则——但规则集与Bob不同,因为LO可以为不同的LSE指定不同的规则集。
Eve is the fourth LS in the chain, and fails to comply with Geopriv by not checking the Rules in the LO prior to uploading the LO to the social networking site. The site, however, is a responsible LR -- it checks the Rules in the LO, sees that they don't allow it to use the location as it needs to, and discards the LO.
Eve是该链中的第四个LS,在将LO上传到社交网站之前未检查LO中的规则,因此未能遵守Geopriv。然而,站点是一个负责任的LR——它检查LO中的规则,发现它们不允许它按需要使用该位置,并丢弃LO。
The following outline summarizes this scenario:
以下概要总结了该场景:
o Positioning: Network-based, LG in network, privacy via exclusive relationship with presence service
o 定位:基于网络,LG网络,通过与状态服务的独家关系实现隐私
o Distribution/use hop 1: Presence server --> Bob, privacy via Alice's access control rules
o 分发/使用跃点1:状态服务器-->Bob,通过Alice的访问控制规则保护隐私
o Distribution/use hop 2: Bob --> photo-sharing site, privacy via Rules for Bob in LO
o 分发/使用hop 2:Bob-->照片共享网站,通过LO中Bob的规则保护隐私
o Distribution/use hop 3: Photo-sharing site --> Eve, privacy via Rules for site in LO
o 分发/使用跃点3:照片共享站点-->Eve,LO中站点的隐私规则
o Distribution/use hop 4: Eve --> Social networking site, violates privacy by retransmitting
o 分发/使用hop 4:Eve-->社交网站,通过重新传输侵犯隐私
o Use: Social networking site, privacy via checking Rules and discarding
o 使用:社交网站,通过检查规则和丢弃隐私
o Key points:
o 要点:
* Privacy can be preserved through multiple hops.
* 隐私可以通过多跳来保护。
* An LO can specify different Rules for different entities.
* LO可以为不同的实体指定不同的规则。
* An LS can still disobey the Rules, but even then, the architecture still works in some cases.
* LS仍然可以违反规则,但即使如此,架构在某些情况下仍然有效。
Various security-related terms not defined here are to be understood in the sense defined in RFC 4949 [27].
此处未定义的各种安全相关术语应理解为RFC 4949[27]中定义的含义。
$ Access Control Rule
$ 访问控制规则
A rule that describes which entities may receive location information and in what form.
描述哪些实体可以接收位置信息以及以何种形式接收位置信息的规则。
$ civic location
$ 城市位置
The geographic position of an entity in terms of a postal address or civic landmark. Examples of such data are room number, street number, street name, city, postal code, county, state, and country.
就邮政地址或城市地标而言,实体的地理位置。此类数据的示例包括房间号、街道号、街道名称、城市、邮政编码、县、州和国家。
$ Device
$ 装置
The physical device, such as a mobile phone, PC, or embedded micro-controller, whose location is tracked as a proxy for the location of a Target.
物理设备,如移动电话、PC或嵌入式微控制器,其位置作为目标位置的代理进行跟踪。
$ geodetic location
$ 大地定位
The geographic position of an entity in a particular coordinate system, for example, a latitude-longitude pair.
实体在特定坐标系中的地理位置,例如经纬度对。
$ Local Rule
$ 地方规则
A Privacy Rule that directs a Location Server about how to treat a Target's location information. Local Rules are used internally by a Location Server to handle requests from Location Recipients. They are not distributed to Location Recipients.
指导位置服务器如何处理目标位置信息的隐私规则。本地规则由位置服务器在内部用于处理来自位置收件人的请求。它们不会分发给位置收件人。
$ Location Generator (LG)
$ 位置发生器(LG)
Performs the role of initially determining or gathering the location of a Target. Location Generators may be any sort of software or hardware used to obtain a Target's location. Examples include GPS chips and cellular networks.
执行最初确定或收集目标位置的任务。位置生成器可以是用于获取目标位置的任何类型的软件或硬件。例如GPS芯片和蜂窝网络。
$ Location Information Server (LIS)
$ 位置信息服务器(LIS)
An entity responsible for providing devices within an access network with information about their own locations. A Location Information Server uses knowledge of the access network and its physical topology to generate and distribute location information to devices.
负责向接入网络内的设备提供其自身位置信息的实体。位置信息服务器使用接入网络及其物理拓扑的知识来生成位置信息并将其分发给设备。
$ Location Object (LO)
$ 位置对象(LO)
A data unit that conveys location information together with Privacy Rules within the Geopriv architecture. A Location Object may convey geodetic location data (latitude, longitude, altitude), civic location data (street, city, state, etc.), or both.
在Geopriv体系结构中传输位置信息和隐私规则的数据单元。位置对象可以传递大地测量位置数据(纬度、经度、海拔)、城市位置数据(街道、城市、州等),或两者兼而有之。
$ Location Recipient (LR)
$ 地点收件人(LR)
An ultimate end-point entity to which a Location Object is distributed. Location Recipients request location information about a particular Target from a Location Server. If allowed by the appropriate Privacy Rules, a Location Recipient will receive Location Objects describing the Target's location from the Location Server.
位置对象分布到的最终端点实体。位置收件人从位置服务器请求有关特定目标的位置信息。如果适当的隐私规则允许,位置收件人将从位置服务器接收描述目标位置的位置对象。
$ Location Server (LS)
$ 位置服务器(LS)
An entity that receives Location Objects from Location Generators, Privacy Rules from Rule Makers, and location requests from Location Recipients. A Location Server applies the appropriate Privacy Rules to a Location Object received from a Location Generator and may disclose the Location Object, in compliance with the Rules, to Location Recipients.
从位置生成器接收位置对象、从规则制定者接收隐私规则以及从位置接收者接收位置请求的实体。位置服务器将适当的隐私规则应用于从位置生成器接收的位置对象,并且可以根据规则向位置接收者披露位置对象。
Location Servers may not necessarily be "servers" in the colloquial sense of hosts in remote data centers servicing requests. Rather, a Location Server can be any software or hardware component that receives and distributes location information. Examples include a positioning server (with a location interface) in an access network, a presence server, or a Web browser or other software running on a Target's device.
位置服务器不一定是为请求提供服务的远程数据中心中的主机的口语意义上的“服务器”。相反,位置服务器可以是接收和分发位置信息的任何软件或硬件组件。示例包括接入网络中的定位服务器(带位置接口)、状态服务器、网络浏览器或目标设备上运行的其他软件。
$ Privacy Rule
$ 隐私规则
A directive that regulates an entity's activities with respect to a Target's location information, including the collection, use, disclosure, and retention of the location information. Privacy Rules describe how location information may be used by an entity, the level of detail with which location information may be described to an entity, and the conditions under which location information may be disclosed to an entity. Privacy Rules are communicated from Rule Makers to Location Servers and conveyed in Location Objects throughout the Geopriv architecture.
一种指令,规定实体在目标位置信息方面的活动,包括位置信息的收集、使用、披露和保留。隐私规则描述实体如何使用位置信息、向实体描述位置信息的详细程度以及向实体披露位置信息的条件。隐私规则从规则制定者传送到位置服务器,并在整个Geopriv体系结构的位置对象中传送。
$ Rule
$ 规则
See Privacy Rule.
参见隐私规则。
$ Rule Maker (RM)
$ 规则制定者(RM)
An individual or entity that is authorized to set Privacy Rules for a Target. In some cases, a Rule Maker and a Target will be the same individual or entity, and in other cases they will be separate. For example, a parent may serve as the Rule Maker when the Target is his child. The Rule Maker is also not necessarily the owner of a Target device. For example, a corporation may own a device that it provides to an employee but permit the employee to serve as the Rule Maker and set her own Privacy Rules. Rule Makers provide the Privacy Rules associated with a Target to Location Servers.
有权为目标设置隐私规则的个人或实体。在某些情况下,规则制定者和目标将是同一个人或实体,而在其他情况下,他们将是分开的。例如,当目标是他的孩子时,父母可以充当规则制定者。规则制定者也不一定是目标设备的所有者。例如,公司可能拥有提供给员工的设备,但允许员工担任规则制定者并设置自己的隐私规则。规则制定者提供与目标位置服务器关联的隐私规则。
$ Forwarded Rule
$ 转发规则
A Privacy Rule that travels inside a Location Object. Forwarded Rules direct Location Recipients about how to handle the location information they receive. Because the Forwarded Rules themselves may reveal potentially sensitive information about a Target, only the minimal subset of Forwarded Rules necessary for a Location Recipient to handle a Location Object is distributed to the Location Recipient.
在位置对象内部传播的隐私规则。转发规则指导位置收件人如何处理他们收到的位置信息。由于转发规则本身可能会揭示有关目标的潜在敏感信息,因此只有位置收件人处理位置对象所需的最小转发规则子集才会分发给位置收件人。
$ Target
$ 目标
An individual or other entity whose location is sought in the Geopriv architecture. In many cases, the Target will be the human user of a Device, or it may be an object such as a vehicle or shipping container to which a Device is attached. In some instances, the Target will be the Device itself. The Target is the entity whose privacy Geopriv seeks to protect.
在Geopriv体系结构中寻找其位置的个人或其他实体。在许多情况下,目标将是设备的人类用户,或者它可能是设备连接到的对象,例如车辆或运输容器。在某些情况下,目标将是设备本身。目标是Geopriv寻求保护其隐私的实体。
$ Usage Rule
$ 使用规则
A rule that describes what uses of location information are authorized.
描述授权使用位置信息的规则。
Section 5 is largely based on the security investigations conducted as part of the Geopriv Layer-7 Location Configuration Protocol design team, which produced [9]. We would like to thank all the members of the design team.
第5节主要基于作为Geopriv第7层位置配置协议设计团队一部分进行的安全调查,该团队产生了[9]。我们要感谢设计团队的所有成员。
We would also like to thank Marc Linsner and Martin Thomson for their contributions regarding terminology and LCPs.
我们还要感谢Marc Linsner和Martin Thomson在术语和LCP方面的贡献。
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[2] Cuellar,J.,Morris,J.,Mulligan,D.,Peterson,J.,和J.Polk,“地质驱动要求”,RFC 3693,2004年2月。
[3] Danley, M., Mulligan, D., Morris, J., and J. Peterson, "Threat Analysis of the Geopriv Protocol", RFC 3694, February 2004.
[3] Danley,M.,Mulligan,D.,Morris,J.,和J.Peterson,“Geopriv协议的威胁分析”,RFC 36942004年2月。
[4] U.S. Department of Defense, "National Industrial Security Program Operating Manual", DoD 5220-22M, January 1995.
[4] 美国国防部,《国家工业安全计划操作手册》,国防部5220-22M,1995年1月。
[5] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV Presence Information Data Format Location Object (PIDF-LO) Usage Clarification, Considerations, and Recommendations", RFC 5491, March 2009.
[5] Winterbottom,J.,Thomson,M.,和H.Tschofenig,“GEOPRIV存在信息数据格式位置对象(PIDF-LO)使用说明、注意事项和建议”,RFC 54912009年3月。
[6] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., Polk, J., and J. Rosenberg, "Common Policy: A Document Format for Expressing Privacy Preferences", RFC 4745, February 2007.
[6] Schulzrinne,H.,Tschofenig,H.,Morris,J.,Cuellar,J.,Polk,J.,和J.Rosenberg,“共同政策:表达隐私偏好的文件格式”,RFC 47452007年2月。
[7] Schulzrinne, H., Ed., Tschofenig, H., Ed., Morris, J., Cuellar, J., and J. Polk, "Geolocation Policy: A Document Format for Expressing Privacy Preferences for Location Information", Work in Progress, March 2011.
[7] Schulzrinne,H.,Ed.,Tschofenig,H.,Ed.,Morris,J.,Cuellar,J.,和J.Polk,“地理位置政策:表达位置信息隐私偏好的文档格式”,正在进行的工作,2011年3月。
[8] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", RFC 4825, May 2007.
[8] Rosenberg,J.,“可扩展标记语言(XML)配置访问协议(XCAP)”,RFC4825,2007年5月。
[9] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol: Problem Statement and Requirements", RFC 5687, March 2010.
[9] Tschofenig,H.和H.Schulzrinne,“GEOPRIV第7层位置配置协议:问题陈述和要求”,RFC 5687,2010年3月。
[10] Polk, J., Schnizlein, J., and M. Linsner, "Dynamic Host Configuration Protocol Option for Coordinate-based Location Configuration Information", RFC 3825, July 2004.
[10] Polk,J.,Schnizlein,J.,和M.Linsner,“基于坐标的位置配置信息的动态主机配置协议选项”,RFC 3825,2004年7月。
[11] Schulzrinne, H., "Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option for Civic Addresses Configuration Information", RFC 4776, November 2006.
[11] Schulzrinne,H.,“Civic地址配置信息的动态主机配置协议(DHCPv4和DHCPv6)选项”,RFC 47762006年11月。
[12] Polk, J., "Dynamic Host Configuration Protocol (DHCP) IPv4 and IPv6 Option for a Location Uniform Resource Identifier (URI)", Work in Progress, February 2011.
[12] Polk,J.,“位置统一资源标识符(URI)的动态主机配置协议(DHCP)IPv4和IPv6选项”,正在进行的工作,2011年2月。
[13] Barnes, M., Ed., "HTTP-Enabled Location Delivery (HELD)", RFC 5985, September 2010.
[13] 巴恩斯,M.,编辑,“支持HTTP的位置传递(保留)”,RFC 59852010年9月。
[14] Marshall, R., Ed., "Requirements for a Location-by-Reference Mechanism", RFC 5808, May 2010.
[14] Marshall,R.,Ed.“通过参考机制定位的要求”,RFC 5808,2010年5月。
[15] Hardie, T., Newton, A., Schulzrinne, H., and H. Tschofenig, "LoST: A Location-to-Service Translation Protocol", RFC 5222, August 2008.
[15] Hardie,T.,Newton,A.,Schulzrinne,H.,和H.Tschofenig,“丢失:一个位置到服务的翻译协议”,RFC 5222,2008年8月。
[16] Barnes, R., Thomson, M., Winterbottom, J., and H. Tschofenig, "Location Configuration Extensions for Policy Management", Work in Progress, June 2011.
[16] Barnes,R.,Thomson,M.,Winterbottom,J.,和H.Tschofenig,“策略管理的位置配置扩展”,正在进行的工作,2011年6月。
[17] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[17] Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[18] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[18] Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。
[19] Peterson, J., "A Presence-based GEOPRIV Location Object Format", RFC 4119, December 2005.
[19] Peterson,J.,“基于状态的GEOPRIV定位对象格式”,RFC 4119,2005年12月。
[20] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[20] 菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC2616,1999年6月。
[21] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.
[21] Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。
[22] World Wide Web Consortium, "The XMLHttpRequest Object", W3C document http://www.w3.org/TR/XMLHttpRequest/, August 2010.
[22] 万维网联盟,“XMLHttpRequest对象”,W3C文档http://www.w3.org/TR/XMLHttpRequest/,2010年8月。
[23] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework for Emergency Calling Using Internet Multimedia", Work in Progress, October 2010.
[23] Rosen,B.,Schulzrinne,H.,Polk,J.,和A.Newton,“使用互联网多媒体进行紧急呼叫的框架”,正在进行的工作,2010年10月。
[24] Rosen, B. and J. Polk, "Best Current Practice for Communications Services in support of Emergency Calling", Work in Progress, March 2011.
[24] Rosen,B.和J.Polk,“支持紧急呼叫的通信服务的最佳当前实践”,正在进行的工作,2011年3月。
[25] Schulzrinne, H., "Location-to-URL Mapping Architecture and Framework", RFC 5582, September 2009.
[25] Schulzrinne,H.,“位置到URL映射体系结构和框架”,RFC 5582,2009年9月。
[26] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, March 2011.
[26] Saint Andre,P.,“可扩展消息和状态协议(XMPP):核心”,RFC61202011年3月。
[27] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, August 2007.
[27] Shirey,R.,“互联网安全术语表,第2版”,FYI 36,RFC 4949,2007年8月。
[28] <http://creativecommons.org/>
[28] <http://creativecommons.org/>
Authors' Addresses
作者地址
Richard Barnes BBN Technologies 9861 Broken Land Pkwy, Suite 400 Columbia, MD 21046 USA
Richard Barnes BBN Technologies 9861 Breaked Land Pkwy,美国马里兰州哥伦比亚市400号套房21046
Phone: +1 410 290 6169
EMail: rbarnes@bbn.com
Phone: +1 410 290 6169
EMail: rbarnes@bbn.com
Matt Lepinski BBN Technologies 10 Moulton St. Cambridge, MA 02138 USA
Matt Lepinski BBN Technologies美国马萨诸塞州剑桥莫尔顿街10号,邮编02138
Phone: +1 617 873 5939
EMail: mlepinski@bbn.com
Phone: +1 617 873 5939
EMail: mlepinski@bbn.com
Alissa Cooper Center for Democracy & Technology 1634 I Street NW, Suite 1100 Washington, DC USA
Alissa Cooper民主与技术中心美国华盛顿特区西北I街1634号1100室
EMail: acooper@cdt.org
EMail: acooper@cdt.org
John Morris Center for Democracy & Technology 1634 I Street NW, Suite 1100 Washington, DC USA
美国华盛顿特区西北I街1634号约翰·莫里斯民主与技术中心1100室
EMail: jmorris@cdt.org
EMail: jmorris@cdt.org
Hannes Tschofenig Nokia Siemens Networks Linnoitustie 6 Espoo 02600 Finland
Hannes Tschofenig诺基亚西门子网络公司芬兰Linnoitustie 6 Espoo 02600
Phone: +358 (50) 4871445
EMail: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at
Phone: +358 (50) 4871445
EMail: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at
Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 US
美国纽约州纽约市哥伦比亚大学计算机科学系计算机科学大楼450号
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
URI: http://www.cs.columbia.edu
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
URI: http://www.cs.columbia.edu