Re: [Ace] Questions for the IETF#90 Meeting
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 11 July 2014 09:30 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 352381A0393 for <ace@ietfa.amsl.com>; Fri, 11 Jul 2014 02:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TW_MY4sbGxpX for <ace@ietfa.amsl.com>; Fri, 11 Jul 2014 02:30:26 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C4D1A03B9 for <ace@ietf.org>; Fri, 11 Jul 2014 02:30:26 -0700 (PDT)
Received: from [172.16.254.119] ([80.92.116.212]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0M7ojs-1WjU2G2QYy-00vOAI; Fri, 11 Jul 2014 11:30:20 +0200
Message-ID: <53BFAEA8.3090407@gmx.net>
Date: Fri, 11 Jul 2014 11:30:16 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <53BCF608.5010606@gmx.net> <27297.1404914953@sandelman.ca>
In-Reply-To: <27297.1404914953@sandelman.ca>
X-Enigmail-Version: 1.5.2
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="dbmTxtbGU4ixne304rsmJ0cGX1BIonJXs"
X-Provags-ID: V03:K0:WZzdS3XdrjYcBu5Atpa5VhEP3ankMpDEIpj7XuEJI2vmhaf+44H ENLPMElnwdRHBzN9QS+kj1uhCMURvTGdT0ZyNEmw1ftZ0KEbY12GEWhkBECWMOhsHBllyDo 7WmBS+OjRKuQJhwRx8KmoiNFm3mBpuDLagqeTsAJFo7o951w6y5g/CGxMfHDxRMUkemU9Fy WrXhpSTlcLr1VV9Poyoow==
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/DeZaB6k_pGvfe88CS_a_iodoqmU
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Questions for the IETF#90 Meeting
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 09:30:28 -0000
Hi Michael, thanks for the feedback. One minor remark on the Kerberos cross-realm authentication. My understanding of the challenge with deployments (from discussions with the Kerberos folks) is that there have to be business reasons for deploying cross-realm authentication. These business reasons are not always there and they require a considerable amount of effort since business agreements (including legal aspects) do not necessarily scale in the same way as technology could do. This is also a painful lesson the original OpenID guys learned (which is why it is dead now). They approached the problem of federations in a technical way and failed to understand that federations are 95% business/legal constructs and only 5% technology. Ciao Hannes On 07/09/2014 04:09 PM, Michael Richardson wrote: > > Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > > 1) Are there requirements/use cases that allow anything other than the > > OAuth/Kerberos design pattern? > > I think that there are two questions here: > 1) is the OAuth/Kerberos design pattern sufficient? (does it do everything) > 2) is the OAUTH/Kerberos design pattern necessary? (can we throw something away?) > > My instinct is that it handles all of the operational parts, but it does not > handle any of the enrollment parts, particularly for the case where the > parties are offline. You will recall that you felt at the BOF that the > enrollment case was out of scope. > > > 2) Should the design re-use existing work or should the design start > > from scratch? > > > This is more a question of taste / preference but will obviously have a > > huge impact on the subsequent work in the group. > > I think that it worth spending some time to think about a CBOR encoding of > OAuth2, which I think makes use of JSON. I don't think we have any mapping > of Kerberos into JSON, but I could be wrong. The idea is to start with a > baseline situation and then decided if we should innovate. > > > 3) Should the design be based on symmetric or asymmetric crypto? > > (or both?) > > > We have various documents that talk about this issue, for example > > draft-seitz-ace-design-considerations-00 and > > draft-seitz-ace-problem-description-01 > > After enrollment, symmetric crypto is sufficient. > > > 4) How to address cross-domain support in the initial protocol design? > > Is it a feature that can be added later easily? > > > draft-gerdes-ace-actors-01 talks about this aspect. > > It must be present from day one. That is one thing which dis-recommends a > pure Kerberos pattern, or at least observes Kerberos to include all the pkinit and > cross-realm stuff from the beginning. My limited experience with kerberos is > that there must be significant operational hurdles to doing cross-realm > things, or it would occur far more often. > > > PS: One question that has been answered by all document in the same way > > at the moment is about the use of DTLS. Currently, everyone seems to be > > focused on using DTLS everywhere. There would be alternative approaches > > as well. > > I don't prefer to have any alternative approaches be considered. > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Ralph Droms
- Re: [Ace] Questions for the IETF#90 Meeting Michael Richardson
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Carsten Bormann
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Göran Selander
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Ludwig Seitz
- Re: [Ace] Questions for the IETF#90 Meeting Robert Cragie
- Re: [Ace] Questions for the IETF#90 Meeting Ludwig Seitz
- Re: [Ace] Questions for the IETF#90 Meeting Robert Cragie
- Re: [Ace] Questions for the IETF#90 Meeting Michael Richardson