No matter where you go, there they are.

[Peter Trei]

Well, we've pretty throughly convinced ourselves that Denning's scheme can be 
spoofed (I'm convinced, anyway.)

It's actually worse than useless - it's a substantial security breach.

     To spoof being at a location, Mallory needs to know the location he is trying to spoof.
With S/A off (as I understand it is now), he need to know the location within a couple
meters, in three dimensions.

     Such precise location data is usually difficult to obtain, without actually visiting the 
site and recording the location using GPS.  Mallory might be able to work out, for example,
the location of the desk in the Oval office to that precision by triangulation (though 
setting up theodolites on Massachusetts Avenue may attract some attention :-)
However, I defy him to find the location of a specific PC in NSA headquarters, or in a
secured communications facility  without actually visiting the desk
carrying a GPS receiver (which he won't be allowed to do, unless he's got a 
damn good reason).

     However, since the protocol requires that Alice send out location data, once
she starts using it she reveals her physical location to Eve, Mallory, and anyone ese
 who can see the packets. Since the nature of the protocol is that Alice's location does 
not  change frequently (and needs to transmitted  via a trusted channel to Bob when it
does), after the first usage Mallory  *knows* the physical location  he is trying to 
simulate, and can use this information for future spoofing.

     The upshot of this is that Denning's scheme not only provides no security against 
spoofing, and leaks potentially sensitive data about locations. 

     If Sadaam Huissain (sp?) had used this scheme during the Gulf War, we'd have been 
able to send a cruise missile directly to his keyboard.

[These flaws in the protocol seem so obvious that I can't help but wonder if we're 
missing something - Dorothy isn't *that* stupid.]

Peter Trei
trei at Process.com