Re: [Ace] Offline operation of Resource Server
Ludwig Seitz <ludwig@sics.se> Tue, 15 July 2014 05:47 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AE01A02E8 for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 22:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1T1FCpG8zEC for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 22:47:56 -0700 (PDT)
Received: from outbox.sics.se (outbox.sics.se [193.10.64.137]) by ietfa.amsl.com (Postfix) with ESMTP id B57C11A0301 for <ace@ietf.org>; Mon, 14 Jul 2014 22:47:55 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [192.36.171.201]) by outbox.sics.se (Postfix) with ESMTPS id 000F06D6 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200 (CEST)
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s6F5lskq012058 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200
Received: from [192.168.0.108] (unknown [85.235.11.178]) (Authenticated sender: ludwig@sics.se) by letter.sics.se (Postfix) with ESMTPSA id E955B40116 for <ace@ietf.org>; Tue, 15 Jul 2014 07:47:54 +0200 (CEST)
Message-ID: <53C4C082.3020909@sics.se>
Date: Tue, 15 Jul 2014 07:47:46 +0200
From: Ludwig Seitz <ludwig@sics.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ace@ietf.org
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca>
In-Reply-To: <8236.1405368736@sandelman.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050406030105040306000205"
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sics-se:default, sics-se:default, base:default, @@RPTN)
X-p0f-Info: os=Solaris 10, link=Ethernet or modem
X-CanIt-Geo: ip=85.235.11.178; country=SE; region=Skåne; city=Lund; latitude=55.7000; longitude=13.1833; http://maps.google.com/maps?q=55.7000,13.1833&z=6
X-CanItPRO-Stream: outbound-sics-se:outbound (inherits from outbound-sics-se:default, sics-se:default, base:default)
X-Canit-Stats-ID: 09MqtLSzQ - 0b4f76068ffe - 20140715
X-Antispam-Training-Forget: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=f
X-Antispam-Training-Nonspam: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=n
X-Antispam-Training-Spam: https://canit.sunet.se/canit/b.php?i=09MqtLSzQ&m=0b4f76068ffe&t=20140715&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/Npx45jzx9QTuM7c8e3wmy77WQzA
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 05:47:59 -0000
On 07/14/2014 10:12 PM, Michael Richardson wrote: > > Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > > To re-use the Kerberos language, the client gets the TGT. The real-time > > interaction I was talking about relates to the interaction between the > > resource server and the authorization server. > > During enrollment, the Authorization Server gets a TGT on the *resource* server. > Given that, it can now issue new tickets to clients that come along that wish > to access the resource. The client, during enrollment, asks the (possibly > federated list of) authorization servers for a resource ticket. > (This is why part of network join needs to be in scope for ACE) > > All of the above has to occur online. > > Once the client has the resource ticket, the resource server can validate it offline. > >>Ludwig, could you please explain this offline requirement a bit more? It means exactly the kind of offline validation that Michael described above. 1. You need some initial enrollment of AS <-> RS (that could be online or offline & manual such as by reading off some QR code with the RSs initial key material and feeding that to the AS). 2. Then you need some online authorization decision step between C and AS. 3. Then (possibly later) there is some interaction between C and RS, that could be offline. Here RS needs to be able to do offline validation of the authorization decision from step 2. /Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
- [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Göran Selander
- Re: [Ace] Offline operation of Resource Server Kumar, Sandeep
- Re: [Ace] Offline operation of Resource Server Likepeng
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz