[Ace] The ACE documents
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 08 July 2014 07:31 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA231B2A88 for <ace@ietfa.amsl.com>; Tue, 8 Jul 2014 00:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nq9_M1hO4fKT for <ace@ietfa.amsl.com>; Tue, 8 Jul 2014 00:31:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4A41B2A89 for <ace@ietf.org>; Tue, 8 Jul 2014 00:31:35 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.115.50]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MFuC6-1WrmIF0ucY-00Exxh for <ace@ietf.org>; Tue, 08 Jul 2014 09:31:33 +0200
Message-ID: <53BB9E52.3070905@gmx.net>
Date: Tue, 08 Jul 2014 09:31:30 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "ace@ietf.org" <ace@ietf.org>
X-Enigmail-Version: 1.5.2
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="0OigPNaVPGshRQ0tKGMDxMo1vkqgEQ4th"
X-Provags-ID: V03:K0:FZINwaQzeJIng7Q2AEt4y/UEvpROB8SrcjU8GOPDyoAdeCgd1o/ 9r7B3V5wW4MgvXpHSHtwEz1ajhYAKpaIZ2ejjmM+WcFTs9PzmRhjgNR2ow7r2djhW0j/85z Anr4e+8hr4DHINuLMe0dcpRNCH/KsvCaVRYmob9rdLYhnzknr1XzAMnuDYznNvzEhriKOl4 ZFJ+eCOtppj4npQPL9GCA==
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/S6fhngZT49PcF4sGYEub28ie7Ps
Subject: [Ace] The ACE documents
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 07:31:38 -0000
I took a look at the document in the working group. Here is a my short summary. - Use Cases https://datatracker.ietf.org/doc/draft-seitz-ace-usecases/ This document describes the use cases and requirements already presented during the BOF. - Problem Description http://tools.ietf.org/html/draft-seitz-ace-problem-description-01 This document provides a good summary of the conversation at the meeting in Stockholm. It captures the essential design decisions. - Design Considerations http://tools.ietf.org/html/draft-seitz-ace-design-considerations-00 This document was written in preparation of the BOF to highlight some of the challenges with constraint devices. None of the discussed issues are surprising. - Overview of Existing Security Protocols https://datatracker.ietf.org/doc/draft-tschofenig-ace-overview/ I wrote this document in preparation for the BOF to explain the pros and cons of available protocol solutions. - Solution Documents There are two types of solutions currently submitted to the group, namely a) OAuth-based Designs draft-gerdes-ace-dcaf-authorize-00 is a re-write of the OAuth protocol to make the encoding more efficient and introduces new terminology per draft-gerdes-ace-actors-01 (which stresses the cross-domain use). draft-tschofenig-ace-oauth-bt-00 and draft-tschofenig-ace-oauth-iot-00 re-uses OAuth as much as possible. draft-schmitt-ace-twowayauth-for-iot-00 follows an OAuth-based design as well (even though many relevant message exchange parts are left out of the description) but the description puts a strong emphasis on the use of DTLS. The three solution show differences in what credentials they use. There are two types of credentials, namely long-term credentials shared between the client and the authorization server and short-term credentials established for use between the client and the resource server. * draft-gerdes-ace-dcaf-authorize-00 focuses on the establishment of a symmetric session key to be used between the client and the resource server, which is then used within DTLS. IMHO what credentials are used between the client and the AS are not further discussed but DTLS is used as well. * draft-tschofenig-ace-oauth-bt-00 and draft-tschofenig-ace-oauth-iot-00 inherits the functionality from OAuth and uses DTLS between the client the AS and may use CoAP/DTLS between the client and the RS. The established session key for use between the client and the RS is also flexible, as in OAuth, can can either be a symmetric or an asymmetric key (so-called proof-of-possession key). Also the use of a bearer token is possible. * draft-schmitt-ace-twowayauth-for-iot-00 focuses on the use of asymmetric credentials between the client and the AS as well as on the communication between the client and the RS. The use of a ticket is only hinted in Figure 4. b) EAP-based Design draft-marin-ace-wg-coap-eap-00 describes how to map EAP to the CoAP-based environment. If the requirements in draft-seitz-ace-usecases-01 are strictly interpreted then this proposal fails since it does not support offline operation of the resource server. - Out-of-Scope documents There are a few documents that are not within the scope of the group, namely https://datatracker.ietf.org/doc/draft-zhu-ace-groupauth/ https://datatracker.ietf.org/doc/draft-sarikaya-ace-cga-nd/
- [Ace] The ACE documents Hannes Tschofenig