Network Working Group                                         Pars Mutaf
Internet-Draft                                     Institut National des
Intended status: Informational                        Telecommunications
Expires: November 15, 2007                                  May 14, 2007

      Private Information Queries: problem statement and overview

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on November 15, 2007.

Copyright Notice

   Copyright (C) The IETF Trust (2007).


   Private Information Queries (PIQ) is an Internet protocol that allows
   making a phone number query directly to the target cell phone.  The
   target user can decide whether or not a phone number should be
   returned; in real-time and on a case-by-case basis.

   PIQ may also be used for bootstrapping IKEv2 (Internet Key Exchange).
   Along with a phone number, the querier can securely obtain a fixed IP
   address e.g., a Mobile IPv6 home address, exchange certificates and

Mutaf                   Expires November 15, 2007               [Page 1]

Internet-Draft         Private Information Queries              May 2007

   initiate IKEv2 with the target host.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Abstract protocol operation . . . . . . . . . . . . . . . . . . 3
   3.  Mapping human names to IP addresses . . . . . . . . . . . . . . 5
   4.  Name collisions . . . . . . . . . . . . . . . . . . . . . . . . 5
   5.  Security considerations . . . . . . . . . . . . . . . . . . . . 6
   6.  IANA considerations . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6
   9.  Informative References  . . . . . . . . . . . . . . . . . . . . 6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 7
   Intellectual Property and Copyright Statements  . . . . . . . . . . 8

Mutaf                   Expires November 15, 2007               [Page 2]

Internet-Draft         Private Information Queries              May 2007

1.  Introduction

   The "phone book" that maps human names to telephone numbers is one of
   the oldest concepts in telephony.  The phone book is however dead in
   cellular telephony, today.  For privacy reasons, users do not publish
   their cell phone numbers.  This privacy does not come without a cost.
   Users are dependent on their personal contact lists and have a hard
   time sharing their phone numbers; often through oral communication.
   This is very inconvenient.  More importantly, there are many real-
   life situations where communication cannot even take place because
   the target user's phone number is unknown or lost and cannot be
   learned.  Yet another problem currently is the "slow learning cell
   phone" problem.  Thousands of new cell phones are bought everyday by
   young new users.  A newly bought cell phone cannot be immediately
   used, since the contact list of the new user is initially empty.  A
   phone number is learned on the occasion when user contact occurs; and
   not when actually needed.

   Therefore, by current practice, privacy kills reachability.  This is
   also not the right approach to privacy.  Allowing phone number
   queries can contribute to better privacy.  Today, phone numbers
   cannot be easily changed or revoked without losing reachability to
   legitimate users.  Changing a phone number (or, a SIP URI) may
   contribute to better privacy (see for example [TDIG][DPN]).  However
   redistributing a new phone number to legitimate users must be made
   easy in this case.

   Phone number queries are therefore necessary, however privacy must be
   also be preserved.  A user should be able to distribute phone numbers
   on demand, on a case-by-case basis and in real-time, under his/her
   control.  The "Private Information Queries" (PIQ) protocol brings
   this solution.  The target user's phone number is requested directly
   from the target user's phone.  The target user decides in real-time
   whether or not a phone number should be returned depending on the
   querier's identity or other information.

   This document focuses on "phone numbers" for their actual relevance
   and also for editorial simplicity.  SIP URIs, IPv4/IPv6 addresses,
   Mobile IPv4/IPv6 home addresses, DNS names, e-mail addresses, and
   various combinations of these private informations can also be
   distributed using PIQ.

2.  Abstract protocol operation

   Private Information Queries (PIQ) is an abstract protocol.  It can be
   used over any technology and over the Internet.  It can be used over
   a short distance (upon user contact) or over very long distances i.e.

Mutaf                   Expires November 15, 2007               [Page 3]

Internet-Draft         Private Information Queries              May 2007

   through the Internet.  From user perspective, this service is not
   very different from a traditional phone book, except that the query
   must be approved by the target user.  Figure 1 illustrates the
   abstract protocol operation.

                  Cellular host                   Cellular host
                 (John Hoffman)                  (Alice Collins)

             1.     ------ Query(phone number) -------->

             2.     <--------- Turing Test ---- --------

             3.     ------ Query(phone number),
                        Turing Test solution ---------->

             4.                                  user approval

             5.     <-------- phone number -----------

                                 Figure 1

   The query is sent directly to Alice Collins' host's IP address.  Upon
   receipt of the private information query, the responder application
   displays a message:

                      John Hoffman requested your
                      phone number. Accept? [YES/NO]

   The identity of the querier (i.e., John Hoffman in this example) must
   be verifiable.  If not, the target user must be notified.  The target
   user may know John Hoffman and may accept the request.  Or, the
   target user may not know John Hoffman but may have an idea who he is
   and/or why he is trying to contact, and hence may accept the request
   (or not).  The decision belongs to the target user.  It is taken in

   The Turing test ensures that a user cannot be disturbed with a bogus
   query without making some annoying mental effort.  The effort needed
   to deny a request is, however, negligible.  Pushing on the NO button
   of the phone will probably take less than a second (fast as a reflex
   and immediately forgotten).  This feature makes the attack highly
   unspectacular hence defeats it.  The attacker suffers but the impact
   is negligible.  Turing test is also an effective defense against
   machine-generated Denial-of-Service attacks.  The most common and
   popular Turing test is currently [CAPTCHA].  Its difficulty can be
   adaptively tuned by the target host.  Once the target user's phone

Mutaf                   Expires November 15, 2007               [Page 4]

Internet-Draft         Private Information Queries              May 2007

   number is learned, next time he/she can be contacted directly, i.e.,
   without facing a Turing test.

   Along with a PI (Private Information) query, the querier may also
   send a very short text (for example limited to 15-20 characters)
   providing a clue about his identity and motivations for requesting a
   phone number.  The target user may allow or dissallow clues.  An
   example clue is "found cred. card".  The responder, who indeed lost
   his credit card can return a phone number although the querier is
   unknown.  Another example clue is "forgot phone (carol)".  The target
   user may expect a call from Carol, but Carol may be using a friend's
   cell phone (because she forgot her phone or has no battery power).
   Or, in some critical situations, a cell phone may be lost or broken.
   The lost person may borrow another person's phone and use PIQ to
   retrieve a target phone number.  The person may provide a clue about
   his/her identity if necessary.

3.  Mapping human names to IP addresses

   Similarly to a traditional phone book, the target user can be
   identified by a human name or possibly a pseudonym.

   The big difference from the traditional phone book is that the target
   human name must be resolved to an IP address instead of a phone
   number.  The PI query will be sent or relayed to this address so that
   the target user can approve it in real-time.

   Solutions to this problem are out of this document's scope.

4.  Name collisions

   A user who has a very common name (e.g.  John Smith), may receive
   more frequent and mostly useless PI queries.  The user can mostly
   drop such requests by pushing on the NO button of his phone, which
   should not be considered difficult.

   With the traditional phone book, the querier can filter the returned
   results using some other information about the target user e.g. the
   street address, company, etc.  PIQ may adopt a similar solution.
   Along with a Turing test, the target host may return some information
   helping the querier make the right choice.  If the target user is
   unlikely to be the right person, the querier can give up the query
   and avoid solving an unnecessary Turing test.

Mutaf                   Expires November 15, 2007               [Page 5]

Internet-Draft         Private Information Queries              May 2007

5.  Security considerations

   A regional PKI (Public Key Infrastructure) formed by the cellular
   operators in the same area e.g., a country, may be used for user
   identity and public key certification.  A user's identity and public
   key may be certified by the operator, and hosts may be configured
   with trusted operators' public keys.  Although not secure over a
   global scale, a regional PKI can be enough for all PIQ users living
   in the same region.

   PIQ may also be used for bootstrapping IKEv2 (Internet Key Exchange).
   Along with a phone number, the querier can securely obtain a fixed IP
   address e.g., a Mobile IPv6 home address, exchange certificates and
   initiate IKEv2 with the target host.

6.  IANA considerations

   This is an informational document.

7.  Conclusion

   "Private Information Queries" (PIQ) replaces the traditional "phone
   book" with an end-to-end protocol.  A phone number query is made to
   the target phone directly.  User distributes phone numbers on demand,
   on a case-by-case basis and in real-time.  This ease of distribution
   contributes to reachability and also privacy.  A phone number can be
   changed or revoked more comfortably.  A legitimate user who lost
   contact with the target user, can always request a new phone number
   using PIQ.

8.  Acknowledgements

   Comments by Albert Manfredi, Olaf Kolkman and Christian Huitema
   helped better formulate the problem and the general solution.

9.  Informative References

   [CAPTCHA]  "URL:".

   [DPN]      "Disposable phone numbers, URL:

   [TDIG]     "Tossable digits, URL:".

Mutaf                   Expires November 15, 2007               [Page 6]

Internet-Draft         Private Information Queries              May 2007

Author's Address

   Pars Mutaf
   Institut National des Telecommunications


Mutaf                   Expires November 15, 2007               [Page 7]

Internet-Draft         Private Information Queries              May 2007

Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at


   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Mutaf                   Expires November 15, 2007               [Page 8]