Re: [Ace] New Version of Proposed Charter
Likepeng <likepeng@huawei.com> Fri, 24 January 2014 09:27 UTC
Return-Path: <likepeng@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B69B81A0220 for <ace@ietfa.amsl.com>; Fri, 24 Jan 2014 01:27:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.436
X-Spam-Level:
X-Spam-Status: No, score=-4.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Vg8t7nE5Ich for <ace@ietfa.amsl.com>; Fri, 24 Jan 2014 01:27:49 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 11F261A01DD for <ace@ietf.org>; Fri, 24 Jan 2014 01:27:48 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BCW50297; Fri, 24 Jan 2014 09:27:46 +0000 (GMT)
Received: from LHREML402-HUB.china.huawei.com (10.201.5.241) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 24 Jan 2014 09:27:26 +0000
Received: from SZXEMA407-HUB.china.huawei.com (10.82.72.39) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 24 Jan 2014 09:27:45 +0000
Received: from SZXEMA501-MBS.china.huawei.com ([169.254.2.66]) by SZXEMA407-HUB.china.huawei.com ([10.82.72.39]) with mapi id 14.03.0158.001; Fri, 24 Jan 2014 17:27:38 +0800
From: Likepeng <likepeng@huawei.com>
To: Göran Selander <goran.selander@ericsson.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] New Version of Proposed Charter
Thread-Index: AQHPFfcws6Jb64qr7EyB1+x3u+RdR5qRqPoAgAHwUOA=
Date: Fri, 24 Jan 2014 09:27:37 +0000
Message-ID: <34966E97BE8AD64EAE9D3D6E4DEE36F252AE3E36@SZXEMA501-MBS.china.huawei.com>
References: <52DD456E.7010501@tzi.de> <CF040CAB.6550%goran.selander@ericsson.com>
In-Reply-To: <CF040CAB.6550%goran.selander@ericsson.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.167.122]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Subject: Re: [Ace] New Version of Proposed Charter
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 09:27:53 -0000
> I think the issues around authorisation lifetime or revocation deserves should also be listed in the tasks below Currently we have this task in the list: •Define a mechanism for authenticated and protected transfer of authorization information suitable for constrained device to constrained device communication. Do you have any proposal to merge the lifetime/revocation into the sentence above? Or have another general task? If we have a separate bullet just for lifetime/revocation, that may be too emphasized. Thanks, Kind Regards Kepeng > -----邮件原件----- > 发件人: Ace [mailto:ace-bounces@ietf.org] 代表 G?ran Selander > 发送时间: 2014年1月23日 19:23 > 收件人: ace@ietf.org > 主题: Re: [Ace] New Version of Proposed Charter > > > I think the charter in its current version is setting the stage very well and > provides a good motivation for the work needed. Some further comments > inline. Some comments are partially answered by Kepeng in a recent email. > > > (Thanks for considering some of my previous comments!) > > > On 20/01/14 16:49, "Stefanie Gerdes" <gerdes@tzi.de> wrote: > > >Hi everybody, > > > >Due to several complaints about the readability of the proposed > >charter, we revised it and, with the assistance of Hannes, came up with > >a new proposal which provides some more motivation and background to our > work. > > > >We hope that this version includes the relevant topics and reflects the > >previous discussion. Please let us know if something relevant is missing. > > > >In six weeks, at the IETF meeting, we should be able to present a > >readable charter that has wide consensus in the IETF. So this is a good > >time to check that we agree about the charter within the ACE community. > > > >Best regards, > >Kepeng and Steffi > > > >Draft Charter V0.3 - Authentication and Authorization for Constrained > >Environment (ACE) > > > >New developments in the IETF include protocols with a specific focus on > >energy-efficiency to be used e.g. in environments where network nodes > >are limited in CPU, memory, and power-resources. It was observed that > >Internet protocols can be applied to these constrained environments, > >often only requiring minor tweaking and profiling. In other cases, new > >protocols such as the Constrained Application Protocol (CoAP) have been > >defined to address the specific requirements of constrained devices and > >networks. > > > >Constrained devices raise authentication and authorization questions. > >For example, a door lock has to authorize the person seeking access > >using a digital key. Where are the authorization decisions stored? How > >does the digital key communicate with the lock? Does the lock interact > >with an authorization server to obtain authorization information? How > >can access be granted to other persons temporarily? How can access be > >revoked? > > 1. Yes this is good, and I think the issues around authorisation lifetime or > revocation deserves should also be listed in the tasks below > > >These types of questions have been answered by existing protocols for > >use cases outside the constrained environment. But in constrained > >environment, constrained devices cannot readily handle these issues due > >to resource constraints. > > 2. The weighing of different resource constraints against each other is a task > for this work, see 3. below. > > >CoAP provides a DTLS binding for > >authentication but does not address authorization. > > > > The IETF has a long history in developing three party authentication > >and authorization protocols for distributed environments. Examples > >include Kerberos, the Public Key Infrastructure (PKI), the > >Authentication, Authorization, and Accounting (AAA) infrastructure, and > >the Web Authorization Protocol (OAuth). All these protocols enjoy > >widespread deployment on the Internet. Although they all aim to solve > >the same goal they offer quite different functions and utilize > >different message exchanges. These differences are motivated by the > >main deployment use cases they were designed for. > > > >Requirements derived from use cases indicate the suitability of already > >existing work, such as OAuth, as a solution for constrained > >environments. These protocols were, however, not optimized for > >constrained environments. Additional requirements that need to be taken > >into account are the lack of a suitable user-interface for obtaining > >the consent of the user and the inability of embedded devices to > >contact an identity management/authorization server in real-time with > >every access request. > > > >This working group therefore aims for a standardized solution for > >authentication and authorization to enable authorized access to > >resources in constrained environments, using CoAP and leveraging DTLS > >security where possible. Constrained devices will thus be enabled to > >authenticate requests for operations from other (constrained or > >less-constrained) devices, to communicate securely with them and to > >verify their individual authorization to access specific resources. To > >achieve this, ACE will be able to employ additional less-constrained > >devices in order to relieve the constrained nodes from complex security > >related tasks (e.g. managing authorization policies and a large number > >of keys). > > > >Existing authentication and authorization protocols are used and > >re-applied for use with constrained devices, where applicable. This > >requires relevant specifications to be reviewed for suitability, > >selecting a subset of them, restricting the options within each of the > >specifications. Some functionalities may, however, not be available in > >existing protocols and for those cases new functionality has to be > >standardized. Thus, existing work can be leveraged and the group > >benefits from available security analysis, implementation, and > >deployment experience. > > 3. Here I¹m missing the step that we need to agree on and specify design > constraints when profiling existing protocols or designing new. There are > trade-offs to make e.g. in terms of either doing crypto on a constrained device > or instead communicating with supporting less-constrained device. > > >Moreover, a standardized solution for federated authentication and > >authorization will help to stimulate the deployment of IoT devices > >offering increased security. > > > >To be successful this working group requires expertise in security, > >privacy, and a good understanding of usability in the constrained > >environment space. This work does not make the assumption that the > >party offering application layer services is always the same party > >offering network access services. > > > >The ACE WG has the following tasks: > > > > Document the use cases and high-level requirements for secured > >communication between constrained devices. > > > > Define profiles for certificates used for authenticated authorization. > > > 4. This has been discussed before, e.g. > http://www.ietf.org/mail-archive/web/ace/current/msg00104.html > > - The term ³authenticated authorization² is not defined or referenced. > > - It sounds like it excludes things like Bearer Tokens (which may be OK, but that > has not been discussed at all). > > - I¹m fine with including this particular optimisation of DTLS handshake, but > would like to get acknowledged that other work on optimisations of DTLS > handshake in this context is also in scope, such as trusted third party assisted > key management (e.g. draft-seitz-core-security-modes). Any work in this space > is of course is conditional on what design constraints are relevant for this > work. > > > > > > Document the applicability of the main authentication and key exchange > >protocols with respect to resource usage (RAM, message round trips, > >power consumption etc.) and their suitability for the use cases. > > 5. Referring to 3. above, it is in this context I see the need to specify design > constraints, to be able to make a comparison and to decide what to > standardise. > > > Göran > > > > > Define a mechanism for authenticated and protected transfer of > >authorization information suitable for constrained device to > >constrained device communication. > > > > Define formats for access tokens and for authorization information > >that are suitable for constrained devices. > > > > Define bootstrapping for authorization information using the Resource > >Directory (see > >http://tools.ietf.org/html/draft-ietf-core-resource-directory). > > > >_______________________________________________ > >Ace mailing list > >Ace@ietf.org > >https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] New Version of Proposed Charter Stefanie Gerdes
- Re: [Ace] New Version of Proposed Charter Rahman, Akbar
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter Rahman, Akbar
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Ludwig Seitz
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter 鹏程万里
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter Stefanie Gerdes
- Re: [Ace] New Version of Proposed Charter Stefanie Gerdes
- Re: [Ace] New Version of Proposed Charter Bert Greevenbosch
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Bert Greevenbosch
- Re: [Ace] New Version of Proposed Charter Stefanie Gerdes
- Re: [Ace] New Version of Proposed Charter Paul Lambert
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Carsten Bormann
- Re: [Ace] New Version of Proposed Charter Paul Lambert
- Re: [Ace] New Version of Proposed Charter Paul Lambert
- Re: [Ace] New Version of Proposed Charter Göran Selander
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Ludwig Seitz
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Paul Lambert
- [Ace] Symmetric Keys Don't Scale ... was Aw: Re: … Hannes Tschofenig
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Michael Richardson
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Paul Lambert
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Paul Lambert
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Olaf Bergmann
- Re: [Ace] New Version of Proposed Charter Ludwig Seitz
- [Ace] quiz question on energy cost of public key … Rene Struik
- Re: [Ace] quiz question on energy cost of public … Olaf Bergmann
- Re: [Ace] quiz question on energy cost of public … Rene Struik
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Paul Lambert
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Bert Greevenbosch
- Re: [Ace] New Version of Proposed Charter Ludwig Seitz
- Re: [Ace] New Version of Proposed Charter ma yc
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Ron Puzzle
- Re: [Ace] New Version of Proposed Charter Likepeng
- Re: [Ace] New Version of Proposed Charter Olaf Bergmann
- Re: [Ace] Symmetric Keys Don't Scale ... was Aw: … Paul Lambert