Re: [Ace] Offline operation of Resource Server

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 14 July 2014 18:01 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8BA91A0AF9 for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 11:01:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.542
X-Spam-Level:
X-Spam-Status: No, score=-2.542 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnLMRPYVrw9z for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 11:01:42 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959F71AD62A for <ace@ietf.org>; Mon, 14 Jul 2014 11:01:42 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 71D2820012; Mon, 14 Jul 2014 14:02:51 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 3804B63B0E; Mon, 14 Jul 2014 14:01:39 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 2963563AED; Mon, 14 Jul 2014 14:01:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <53C3C09A.5090707@gmx.net>
References: <53C3C09A.5090707@gmx.net>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Mon, 14 Jul 2014 14:01:39 -0400
Message-ID: <14018.1405360899@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/QyxpJ_4SQU5L04J51YTxtyBjTb4
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 18:01:45 -0000

Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
    > in one of my previous mail I said that the requirements rule out an
    > EAP/AAA solution and this impression was based on reading the following
    > requirement from http://tools.ietf.org/html/draft-seitz-ace-usecases-01

    > "
    > o  U5.2 The meters must be able to perform fine-grained access
    > control on the metering data and on the configuration while being
    > offline.
    > "

    > I was wondering how strong the requirement for not having a real-time
    > interaction between the resource server and the AS is.

I think it is important to have the tokens able to be validated offline
within some deployment specific time interval.  For some deployment "99
years" is exactly what is desired, for other deployments having to be online
is what is desired.

The missing piece is enrollment of devices (must be online), and associated
with that is the initial exchange of authorization tokens.

My view is that "enrollment" is really about establishment of the "superuser"
authorization token in the AS. In kerberos terms, it's the Ticket Granting
Ticket.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-