IETF Logo Mail Archive

Re: [Ace] Questions for the IETF#90 Meeting

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 09 July 2014 14:09 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A371A0A9F for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 07:09:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdXaimFGphq4 for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 07:09:15 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47A561A03CE for <ace@ietf.org>; Wed, 9 Jul 2014 07:09:15 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 419B52002D; Wed, 9 Jul 2014 10:10:07 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 7ED2763B0E; Wed, 9 Jul 2014 10:09:13 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 6903863B09; Wed, 9 Jul 2014 10:09:13 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <53BCF608.5010606@gmx.net>
References: <53BCF608.5010606@gmx.net>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 09 Jul 2014 10:09:13 -0400
Message-ID: <27297.1404914953@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/-5ZkCXEEG4QE_LMnLJdnDtVyFNc
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Questions for the IETF#90 Meeting
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 14:09:18 -0000

Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
    > 1) Are there requirements/use cases that allow anything other than the
    > OAuth/Kerberos design pattern?

I think that there are two questions here:
  1) is the OAuth/Kerberos design pattern sufficient? (does it do everything)
  2) is the OAUTH/Kerberos design pattern necessary?  (can we throw something away?)

My instinct is that it handles all of the operational parts, but it does not
handle any of the enrollment parts, particularly for the case where the
parties are offline.   You will recall that you felt at the BOF that the
enrollment case was out of scope.

    > 2) Should the design re-use existing work or should the design start
    > from scratch?

    > This is more a question of taste / preference but will obviously have a
    > huge impact on the subsequent work in the group.

I think that it worth spending some time to think about a CBOR encoding of
OAuth2, which I think makes use of JSON.  I don't think we have any mapping
of Kerberos into JSON, but I could be wrong.  The idea is to start with a
baseline situation and then decided if we should innovate.

    > 3) Should the design be based on symmetric or asymmetric crypto?
    > (or both?)

    > We have various documents that talk about this issue, for example
    > draft-seitz-ace-design-considerations-00 and
    > draft-seitz-ace-problem-description-01

After enrollment, symmetric crypto is sufficient.

    > 4) How to address cross-domain support in the initial protocol design?
    > Is it a feature that can be added later easily?

    > draft-gerdes-ace-actors-01 talks about this aspect.

It must be present from day one.  That is one thing which dis-recommends a
pure Kerberos pattern, or at least observes Kerberos to include all the pkinit and 
cross-realm stuff from the beginning.  My limited experience with kerberos is
that there must be significant operational hurdles to doing cross-realm
things, or it would occur far more often.

    > PS: One question that has been answered by all document in the same way
    > at the moment is about the use of DTLS. Currently, everyone seems to be
    > focused on using DTLS everywhere. There would be alternative approaches
    > as well.

I don't prefer to have any alternative approaches be considered. 

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email