AW: RE : data point - anonymous E.164 number usage
- Date: Mon, 1 Mar 2004 00:31:43 +0100
Von: Staffan Hagnell 
Gesendet: So 29.02.2004 18:03
An: Stastny Richard
Cc: Olivier.Girard@localhost jim@localhost ag@localhost jseng@localhost enum-l@localhost enum-trials@localhost enum-trial@localhost
Betreff: Re: RE : data point - anonymous E.164 number usage
>Could a conclusion be that -
>1. Identification and validation of an E.164 Subscribers is not handled uniform, but rather different >for different types of services in different countries.
>2. The requirement on identification and validation of an ENUM Subscriber is not supposed to be >less then the identification and validation made for the corresponding E.164 Subscribers (doing the >same type of transaction, e.g. registration)
>--> the same type of identification and validation could be considered sufficient for administer an >ENUM Subscriber as is used when administer the corresponding E.164 Subscriber.
>E.g. if showing a SIM card is considered to a proper requirement for identification and validation of >an E.164 Subscriber, it could also be considered a sufficient requirement for identification and >validation of an ENUM Subscriber!
In principle yes, but be careful with terminology:
It might be necesary to show up with a passport and three witnesses in front of a notary to identify yourself to get a mobile subscription and related with this an E.164 mobile number ;-), but if you finally get a SIM card (secure token and PIN) and now may use this SIM-Card to make mobile calls. In doing so, you may purchase items by submitting your CLI (the E.164 number). So you are now identified and also authenticated by your E.164 number, because the intrinsic assumption is that you can do this only if you have access to the secure token and also to the PIN. If you now request an e.164.arpa domain related to this number, it is sufficient for validation (that you have the right to use the E.164 number by proofing the access to the secure token and the PIN e.g. by sending an SMS to the registrar.
The registrar is not able to identify you, and if you have paid with the SMS also, there is no need, but he may run the tier 2 for you. He also may send you with another SMS a userid and a password to access the nameserver to modify your NAPTRs.
If there is a legal requirement to identify such a person, it should be ALWAYS attached to the entity which is assigning the E.164 number in the first place, in this case the mobile operator. If someone wants to know who is the real holder of such an e164.arpa domain, he has to go to the mobile operator. The identification issue therefore never comes up with opt-in scenarios, if you have a proper validation. It comes up only if you assign ENUM-only numbers, but then you do not need a validation.
>Of course, it would be nice to have a single solution for identification and validation of all ENUM >Subscribers (but I am skeptical to the possibilities that there will be such one in the short run).
Depending you define it: in principle there is only one solution:
1. You may or may not have to identify to get an E.164 number (if you allow anonymous numbers)
2. You have to prove the right to use this number in ENUM
So the solution is the same, the methods for validation may vary:
For ENUM-only numbers, you do not need a validation at all, for mobile numbers a SMS is sufficient, for fixed numbers you need additional methods, ony of them may be the use of certificates. You may get this certificate at assignement time (best solution), but you may also get it later (either by your TSP or by an independant entity.
The certificates are also helpful later if you want to transfer your ENUM domain, because you have in principle a validation problem again.
Stastny Richard wrote:
I fully agree with Olivier:
We have here two complete separate problems:
1. Identification required to get an E.164 number.
This is a problem that has nothing to do with ENUM and should be kept
completely separate. That prepaid cards are given out in some (most) countries
without proper id is NOT an ENUM problem.
If some legal entity wants to get the identification of a person or entity assigned
an E.164 number, it should use the existing infrastructure. This is also holds if they
want to know the identity holding an e164.arpa domain related to this number if
no contact information is available.
ENUM is not here to solve OPPs (Other People Problems)
2. The only thing that ENUM needs to provide is consistency in the
E.164 name space, that is: a e614.arpa domain shall only be delegated if
and only for the period of time the associated E.164 number is assigned to
a person or entity and it shall be delegated to the SAME person or entity.
As Olivier shows this does not necessarily require to reveal the entity of the person,
especially not on mobile phone if you use the access to the identification token
(e.g a SIM-card), but there ara also possibilities for fixed lines.
For regulators, they should only state the requirement and not the procedure
how to do this, because you can do this in many different ways. They will of course
have the right to check a given procedure if it complies to the requirement given.