IETF Logo Mail Archive

Re: [Ace] Questions for the IETF#90 Meeting

Paul Lambert <paul@nymbus.net> Wed, 09 July 2014 21:59 UTC

Return-Path: <paul@nymbus.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C421A0080 for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 14:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hzp6KGbbL_Yr for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 14:59:07 -0700 (PDT)
Received: from mail-pa0-f41.google.com (mail-pa0-f41.google.com [209.85.220.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A631A007B for <ace@ietf.org>; Wed, 9 Jul 2014 14:59:07 -0700 (PDT)
Received: by mail-pa0-f41.google.com with SMTP id fb1so9971354pad.0 for <ace@ietf.org>; Wed, 09 Jul 2014 14:59:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Er8u192zLCNV9NzK6yidVwv8Iu9r22QR+cpOYW1vcA0=; b=DXV0gw9qQz89EzE+LqRhgFKXCQczU8vnr/n5yXR10fmwepAzS4sg3KKUF+nKH3+hor jidlXoFjK3yXn+6WV78q3PSdmSJ3CsEa3DVkd+nR4MJwcldEJNLVJ+gD2v3N6mmFarFT ZxS6wEl02L13sZ6jX/UqoYTu709DijOBHKmBiOFmrLZVk0tGy9lwbAnECSiYKMyY0htV H7u9U2Cd7wfeW5p2IKjSYopOQ4ak/8HptW3R9RTEhse8pZP+ELdq3E71lRoC/zZJMLIL ySHRafJO1hMWzrDWPP1Pojer9MfGvGWi2eRWBeZ+Mb2Yh+IQf9Mm9qNGb/NqoeWO8QfL m7Pg==
X-Gm-Message-State: ALoCoQmURqZeXJnG9DxGa3xF3SYnfWLjESAPIqLPAuo5lpyRLI4+q/DKsIupmCAn46QCNq0D9DW8
X-Received: by 10.66.150.228 with SMTP id ul4mr43765533pab.16.1404943147303; Wed, 09 Jul 2014 14:59:07 -0700 (PDT)
Received: from [10.72.8.209] (proxy6-global253.qualcomm.com. [199.106.103.253]) by mx.google.com with ESMTPSA id vn5sm52750594pbc.18.2014.07.09.14.59.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 09 Jul 2014 14:59:06 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Paul Lambert <paul@nymbus.net>
In-Reply-To: <C7A72F49-192D-4476-95A4-D4870F2D84B9@gmail.com>
Date: Wed, 09 Jul 2014 14:59:04 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4D525AA-045E-4646-833F-FC87D5CDEBD7@nymbus.net>
References: <53BCF608.5010606@gmx.net> <D7E5703D-792F-447E-9B23-0F676861902F@nymbus.net> <C7A72F49-192D-4476-95A4-D4870F2D84B9@gmail.com>
To: Ralph Droms <rdroms.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/QzuuZOK-Pmy51-mk0M9iRBHQGlY
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Questions for the IETF#90 Meeting
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 21:59:10 -0000

On Jul 9, 2014, at 4:22 AM, Ralph Droms <rdroms.ietf@gmail.com> wrote:

> 
> 
>> On Jul 9, 2014, at 4:29 AM, Paul Lambert <paul@nymbus.net> wrote:
>> 
>> 
>>> On Jul 9, 2014, at 12:58 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> 
>>> To me there appear to be four questions for the group:
>>> 
>>> 1) Are there requirements/use cases that allow anything other than the
>>> OAuth/Kerberos design pattern?
>> Allow?  Any square peg (Kerberos) could be allowed to fill a round hole
>> with a large enough hammer.
>> 
>> I have requirements for P2P consumer connections that will not
>> initially have any Internet connectivity.  Direct enrollment and
>> management of headless consumer devices is important
>> and especially during bootstrapping from out-of-box does not
>> fit well into OAuth/Kerberos
>> 
>>> 
>>> Partially the answer should come from the use case document.
>>> 
>>> 2) Should the design re-use existing work or should the design start
>>> from scratch?
>> Scratch.
>> 
>>> 
>>> This is more a question of taste / preference but will obviously have a
>>> huge impact on the subsequent work in the group.
> 
> I disagree with the characterization as "taste/preference".  In my opinion, there needs to be strong evidence for the need for a design from scratch and an implicit bias toward reusing existing technologies.

Interesting that there is a perception that new work is harder.  At some point we overload our existing protocols too far and they become cumbersome (e.g. X.509)  Other industries innovate now faster than the IETF.   We have much more rapid changes in PHY and MAC communications.   If other groups were so biased we’d all still be using RS-232


> Use cases like the one outlined above should be reviewed to see if they constitute evidence in support of a design from scratch.

Or … be open to compare proposals rather than assuming DTLS, OAuth or Kerberos are the ultimate solutions.

Paul

> 
> - Ralph
> 
> 
>>> 
>>> 3) Should the design be based on symmetric or asymmetric crypto?
>>> (or both?)
>> Both of course, and hash algorithms.  
>> Asymmetric crypto should be used for key establishment and identity.
>> Algorithms should be lumped together as a Cipher Suite that defines
>> a set of algorithms for key established/authentication, encryption, hashing, etc.
>> 
>> 
>>> 
>>> We have various documents that talk about this issue, for example
>>> draft-seitz-ace-design-considerations-00 and
>>> draft-seitz-ace-problem-description-01
>>> 
>>> 4) How to address cross-domain support in the initial protocol design?
>>> Is it a feature that can be added later easily?
>>> 
>>> draft-gerdes-ace-actors-01 talks about this aspect.
>> from this ...
>> "   According to the Internet Security Glossary [RFC4949], authentication
>>  is "the process of verifying a claim that a system entity or system
>>  resource has a certain attribute value."  Examples for attribute
>>  values are the ID of a device, the type of the device or the name of
>>  its owner.  Authentication attributes might be (but not necessarily
>>  are) suitable to uniquely identify an individual entity.”
>> 
>> The hash of the public key is a attribute that can be directly
>> authenticated by the key holder and is unique. The hash
>> process should include the encoding of the Cipher Suite
>> values to bind the algorithms to the instance of a key.
>> Other attribute bindings can be built on these unique ‘ids'
>> 
>> Paul
>> 
>>> 
>>> If we could get an answer to these questions during the meeting that
>>> would be good step forward.
>>> 
>>> Ciao
>>> Hannes
>>> 
>>> PS: One question that has been answered by all document in the same way
>>> at the moment is about the use of DTLS. Currently, everyone seems to be
>>> focused on using DTLS everywhere. There would be alternative approaches
>>> as well.
>>> 
>>> _______________________________________________
>>> Ace mailing list
>>> Ace@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ace
>> 
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email