<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: RE : data point - anonymous E.164 number usage

  • To: "Rosbotham, Paul" < >
  • From: "Conroy, Lawrence (SMTP)" < >
  • Date: Fri, 27 Feb 2004 13:40:33 +0000

Paul, folks,
I also agree with Olivier - as long as one entity is in control of a number, and that entity is the one that makes the request, their identity as such is not important.

Legal accountability for actions is quite a different page of the book, so I'll ignore it as a reason for confirmed identification here.

However... one thing that has continued to confuse me over the lifetime of the trials is the odd use of the words validation, identification, authentication and authorisation.

Please - Validation is *NOT* what indicates that whoever makes a request is the person who is specified in any telco information - authentication or identification is what does that, IFF the information is a secret shared between the telco and their customer only. Validation concerns the data relating a service and a phone number, asserted by a person; it reports that the assertion is correct.

Given that we have some identification / authentication information from the person making a request, we can validate (i.e. confirm, ratify) that this person has a right (i.e. is authorised) to be associated with the number.

With Telcos that have an existing relationship with a customer (via, for example, a secure Web service) then they CAN do both in one go - authenticate the customer using TLS and user/password (or even user certificates) AND then use this secured link to exchange some secret tied to a phone number. With a pre-pay, this is probably a hash on the SIM, so this SHOULD work. The customer's name may be Mickey_Mouse0123, but that's life.

However, identification/authentication and validation/authorisation are discrete functions and I'm not sure whether we are just choosing different words for each task, or are actually considering different models.

all the best,
Lawrence

On 27 Feb 2004, at 11:04 am, Rosbotham, Paul wrote:

<snip>
In brief, the telco record (by whichever means it's accessed) will confirm that a number is assigned to a given entity. That doesn't confirm that the applicant is that entity, which is where the validation comes in.
<snip>



  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>