Re: [Ace] Offline operation of Resource Server
Rafa Marin Lopez <rafa@um.es> Tue, 15 July 2014 12:58 UTC
Return-Path: <rafa@um.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA111B2887 for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 05:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MapDLc6axIO for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 05:57:58 -0700 (PDT)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id 06FF71B287B for <ace@ietf.org>; Tue, 15 Jul 2014 05:57:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id BB3FBBEBF; Tue, 15 Jul 2014 14:57:56 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vC6zm44AjSDJ; Tue, 15 Jul 2014 14:57:56 +0200 (CEST)
Received: from [192.168.1.66] (214.Red-83-42-243.dynamicIP.rima-tde.net [83.42.243.214]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon24.um.es (Postfix) with ESMTPSA id 6BD3196B5; Tue, 15 Jul 2014 14:57:54 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <53C4C082.3020909@sics.se>
Date: Tue, 15 Jul 2014 14:57:53 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <191F7113-E5ED-49A2-AC27-AA886D527FB1@um.es>
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca> <53C4C082.3020909@sics.se>
To: Ludwig Seitz <ludwig@sics.se>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/9wtymw-vl49_NOI7fxGM-miDKWc
Cc: ace@ietf.org
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 12:58:01 -0000
Hi Ludwig: El 15/07/2014, a las 07:47, Ludwig Seitz <ludwig@sics.se> escribió: > On 07/14/2014 10:12 PM, Michael Richardson wrote: >> >> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> > To re-use the Kerberos language, the client gets the TGT. The real-time >> > interaction I was talking about relates to the interaction between the >> > resource server and the authorization server. >> >> During enrollment, the Authorization Server gets a TGT on the *resource* server. >> Given that, it can now issue new tickets to clients that come along that wish >> to access the resource. The client, during enrollment, asks the (possibly >> federated list of) authorization servers for a resource ticket. >> (This is why part of network join needs to be in scope for ACE) >> >> All of the above has to occur online. >> >> Once the client has the resource ticket, the resource server can validate it offline. >> > > > >>Ludwig, could you please explain this offline requirement a bit more? > > It means exactly the kind of offline validation that Michael described above. [Rafa] I had the following in mind: The RS is deployed under the domain of a "controller". To ensure the controller and the RS are authenticated are authorized they use EAP/AAA (so we avoid a rogue controller or a rogue RS). EAP peer is the RS, the EAP authenticator is the "controller" and EAP server is placed on the AS. We can also think (to simplify) that controller/AS is the same entity for now. > > 1. You need some initial enrollment of AS <-> RS (that could be online or offline & manual such as by reading off some QR code with the RSs initial key material and feeding that to the AS). Then, one option is to do online enrollment with EAP/AAA. > > 2. Then you need some online authorization decision step between C and AS. I also think we can use online authorization decision based on EAP/AAA. > > 3. Then (possibly later) there is some interaction between C and RS, that could be offline. Here RS needs to be able to do offline validation of the authorization decision from step 2. That is possible if during the EAP/AAA interactions there is a bootstrapping of some short term credential (e.g. Kerberos tickets). For example, if we talk in Kerberos terminology, the "controller" could be the KDC. Then C could obtain a TGT first and then a ST to access the RS. As long as the C has the ST, it can access the RS and the RS can do the validation offline. So, in summary, there could be an online enrollment and online authorization decision based on EAP/AAA that allows to bootstrap "something" that enables RS and C to have an offline interaction during a period of time (e.g. ticket lifetime). My 0.02 cents. > > > /Ludwig > > -- > Ludwig Seitz, PhD > SICS Swedish ICT AB > Ideon Science Park > Building Beta 2 > Scheelevägen 17 > SE-223 70 Lund > > Phone +46(0)70-349 92 51 > http://www.sics.se > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Göran Selander
- Re: [Ace] Offline operation of Resource Server Kumar, Sandeep
- Re: [Ace] Offline operation of Resource Server Likepeng
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz