Re: [Ace] Offline operation of Resource Server

Ludwig Seitz <ludwig@sics.se> Tue, 15 July 2014 05:47 UTC

Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AE01A02E8 for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 22:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1T1FCpG8zEC for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 22:47:56 -0700 (PDT)
Received: from outbox.sics.se (outbox.sics.se [193.10.64.137]) by ietfa.amsl.com (Postfix) with ESMTP id B57C11A0301 for <ace@ietf.org>; Mon, 14 Jul 2014 22:47:55 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [192.36.171.201]) by outbox.sics.se (Postfix) with ESMTPS id 000F06D6 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200 (CEST)
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s6F5lskq012058 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200
Received: from [192.168.0.108] (unknown [85.235.11.178]) (Authenticated sender: ludwig@sics.se) by letter.sics.se (Postfix) with ESMTPSA id E955B40116 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200 (CEST)
Message-ID: <53C4C082.3020909@sics.se>
Date: Tue, 15 Jul 2014 07:47:46 +0200
From: Ludwig Seitz <ludwig@sics.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ace@ietf.org
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca>
In-Reply-To: <8236.1405368736@sandelman.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050406030105040306000205"
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sics-se:default, sics-se:default, base:default, @@RPTN)
X-p0f-Info: os=Solaris 10, link=Ethernet or modem
X-CanIt-Geo: ip=85.235.11.178; country=SE; region=Skåne; city=Lund; latitude=55.7000; longitude=13.1833; http://maps.google.com/maps?q=55.7000,13.1833&z=6
X-CanItPRO-Stream: outbound-sics-se:outbound (inherits from outbound-sics-se:default, sics-se:default, base:default)
X-Canit-Stats-ID: 09MqtLSzQ - 0b4f76068ffe - 20140715
X-Antispam-Training-Forget: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=f
X-Antispam-Training-Nonspam: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=n
X-Antispam-Training-Spam: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/Npx45jzx9QTuM7c8e3wmy77WQzA
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 05:47:59 -0000

On 07/14/2014 10:12 PM, Michael Richardson wrote:
>
> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>      > To re-use the Kerberos language, the client gets the TGT. The real-time
>      > interaction I was talking about relates to the interaction between the
>      > resource server and the authorization server.
>
> During enrollment, the Authorization Server gets a TGT on the *resource* server.
> Given that, it can now issue new tickets to clients that come along that wish
> to access the resource.  The client, during enrollment, asks the (possibly
> federated list of) authorization servers for a resource ticket.
> (This is why part of network join needs to be in scope for ACE)
>
> All of the above has to occur online.
>
> Once the client has the resource ticket, the resource server can validate it offline.
>


 >>Ludwig, could you please explain this offline requirement a bit more?

It means exactly the kind of offline validation that Michael described 
above.

1. You need some initial enrollment of AS <-> RS (that could be online 
or offline & manual such as by reading off some QR code with the RSs 
initial key material and feeding that to the AS).

2. Then you need some online authorization decision step between C and AS.

3. Then (possibly later) there is some interaction between C and RS, 
that could be offline. Here RS needs to be able to do offline validation 
of the authorization decision from step 2.


/Ludwig

-- 
Ludwig Seitz, PhD
SICS Swedish ICT AB
Ideon Science Park
Building Beta 2
Scheelevägen 17
SE-223 70 Lund

Phone +46(0)70-349 92 51
http://www.sics.se