Re: [Ace] Offline operation of Resource Server
Likepeng <likepeng@huawei.com> Tue, 15 July 2014 08:26 UTC
Return-Path: <likepeng@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6341A033D for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 01:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 925Kg_rdTC8Q for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 01:26:01 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 674B51A0343 for <ace@ietf.org>; Tue, 15 Jul 2014 01:26:01 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BKB10513; Tue, 15 Jul 2014 08:25:59 +0000 (GMT)
Received: from SZXEMA402-HUB.china.huawei.com (10.82.72.34) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 15 Jul 2014 09:25:57 +0100
Received: from SZXEMA501-MBS.china.huawei.com ([169.254.2.128]) by SZXEMA402-HUB.china.huawei.com ([10.82.72.34]) with mapi id 14.03.0158.001; Tue, 15 Jul 2014 16:25:53 +0800
From: Likepeng <likepeng@huawei.com>
To: Ludwig Seitz <ludwig@sics.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Offline operation of Resource Server
Thread-Index: AQHPn1g5Xr89HU0KBEmeRqSDLOFEKJufVoWAgAAOToCAABYwAIAAoMsAgACutlA=
Date: Tue, 15 Jul 2014 08:25:52 +0000
Message-ID: <34966E97BE8AD64EAE9D3D6E4DEE36F2581780BF@SZXEMA501-MBS.china.huawei.com>
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca> <53C4C082.3020909@sics.se>
In-Reply-To: <53C4C082.3020909@sics.se>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.167.122]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/Rpj1ilcMiRgtBBdg7zhJf6VfN7w
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 08:26:03 -0000
Hi Ludwig, > It means exactly the kind of offline validation that Michael described above. > > 1. You need some initial enrollment of AS <-> RS (that could be online or offline > & manual such as by reading off some QR code with the RSs initial key material > and feeding that to the AS). > > 2. Then you need some online authorization decision step between C and AS. > > 3. Then (possibly later) there is some interaction between C and RS, that could > be offline. Here RS needs to be able to do offline validation of the > authorization decision from step 2. This seems to be the normal flow. If I check the draft section 4.3.4, in the normal flow, the RS also does not need to contact the AS for the online validation of the access token. http://tools.ietf.org/html/draft-selander-core-access-control-02 Do you mean Client is also offline, and can't contact with AS? In draft-seitz-ace-problem-description section 4.5, the offline requirement/assumption is: o RS may not be able to communicate with AS at the time of the request from C. But I am not clear, only RS can’t communicate with AS, or both Client and RS can’t communicate with AS? Kind Regards Kepeng > -----邮件原件----- > 发件人: Ace [mailto:ace-bounces@ietf.org] 代表 Ludwig Seitz > 发送时间: 2014年7月15日 13:48 > 收件人: ace@ietf.org > 主题: Re: [Ace] Offline operation of Resource Server > > On 07/14/2014 10:12 PM, Michael Richardson wrote: > > > > Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > > > To re-use the Kerberos language, the client gets the TGT. The > real-time > > > interaction I was talking about relates to the interaction between the > > > resource server and the authorization server. > > > > During enrollment, the Authorization Server gets a TGT on the *resource* > server. > > Given that, it can now issue new tickets to clients that come along > > that wish to access the resource. The client, during enrollment, asks > > the (possibly federated list of) authorization servers for a resource ticket. > > (This is why part of network join needs to be in scope for ACE) > > > > All of the above has to occur online. > > > > Once the client has the resource ticket, the resource server can validate it > offline. > > > > > >>Ludwig, could you please explain this offline requirement a bit more? > > It means exactly the kind of offline validation that Michael described above. > > 1. You need some initial enrollment of AS <-> RS (that could be online or offline > & manual such as by reading off some QR code with the RSs initial key material > and feeding that to the AS). > > 2. Then you need some online authorization decision step between C and AS. > > 3. Then (possibly later) there is some interaction between C and RS, that could > be offline. Here RS needs to be able to do offline validation of the > authorization decision from step 2. > > > /Ludwig > > -- > Ludwig Seitz, PhD > SICS Swedish ICT AB > Ideon Science Park > Building Beta 2 > Scheelevägen 17 > SE-223 70 Lund > > Phone +46(0)70-349 92 51 > http://www.sics.se
- [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Göran Selander
- Re: [Ace] Offline operation of Resource Server Kumar, Sandeep
- Re: [Ace] Offline operation of Resource Server Likepeng
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz