IETF Logo Mail Archive

Re: [Ace] Questions for the IETF#90 Meeting

Paul Lambert <paul@nymbus.net> Wed, 09 July 2014 08:29 UTC

Return-Path: <paul@nymbus.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF951A0398 for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 01:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JvQc7JsQJHb for <ace@ietfa.amsl.com>; Wed, 9 Jul 2014 01:29:12 -0700 (PDT)
Received: from mail-pd0-f175.google.com (mail-pd0-f175.google.com [209.85.192.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A6AC1A039B for <ace@ietf.org>; Wed, 9 Jul 2014 01:29:12 -0700 (PDT)
Received: by mail-pd0-f175.google.com with SMTP id v10so8528712pde.6 for <ace@ietf.org>; Wed, 09 Jul 2014 01:29:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=kbC0qY+Pdq74KOfr0Gu0DizdkQgVISlXE6ablXcvBnA=; b=eP1gvFLjTbYR6+KmjouqCzr9S4W0CI0p7ylR2Vl8q1J/LUjnm7wXtBsQcSuh9adqzW a+abUl8pCW+llGpMPPsiIbE6uISLph7dkfHWtMMYf0NdY5aNHfBkVDXTBgai14c4vgJm +XIazUo3JBKmvDqbbO5lSqjVOWmeUNe+k+2/oJbtu5YVoLyFRRHGLw6IVNatY3o59aBc nIlojroyQxgqQZiZnksKerxBkhlJEiGFpN80oGNNdrkCP7+bsSLhUZtnpdZ1LVtXE+4Z 3BU4SOXSUQ1wDv7h4kMAJ1u602wWILLvDsrTl8Q3J9WtAraEU6yhNK+bHgUe28MiaXSV cXdQ==
X-Gm-Message-State: ALoCoQmaBZM7+RhQLMeycxGy8Ix63PvVxW3or43X/kX32Ch71neAS08CQRoTUawMZdFz8MYPPHpk
X-Received: by 10.67.4.163 with SMTP id cf3mr39527935pad.92.1404894551865; Wed, 09 Jul 2014 01:29:11 -0700 (PDT)
Received: from [192.168.1.70] (75-37-193-167.lightspeed.lsatca.sbcglobal.net. [75.37.193.167]) by mx.google.com with ESMTPSA id b4sm20688718pdk.10.2014.07.09.01.29.10 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 09 Jul 2014 01:29:10 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Paul Lambert <paul@nymbus.net>
In-Reply-To: <53BCF608.5010606@gmx.net>
Date: Wed, 09 Jul 2014 01:29:09 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D7E5703D-792F-447E-9B23-0F676861902F@nymbus.net>
References: <53BCF608.5010606@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/alkjIMmujt0ijPqGmR5EyxeONjo
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Questions for the IETF#90 Meeting
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 08:29:13 -0000

On Jul 9, 2014, at 12:58 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> To me there appear to be four questions for the group:
> 
> 1) Are there requirements/use cases that allow anything other than the
> OAuth/Kerberos design pattern?
Allow?  Any square peg (Kerberos) could be allowed to fill a round hole
with a large enough hammer.

I have requirements for P2P consumer connections that will not
initially have any Internet connectivity.  Direct enrollment and
management of headless consumer devices is important
and especially during bootstrapping from out-of-box does not
fit well into OAuth/Kerberos

> 
> Partially the answer should come from the use case document.
> 
> 2) Should the design re-use existing work or should the design start
> from scratch?
Scratch.

> 
> This is more a question of taste / preference but will obviously have a
> huge impact on the subsequent work in the group.
> 
> 3) Should the design be based on symmetric or asymmetric crypto?
>  (or both?)
Both of course, and hash algorithms.  
Asymmetric crypto should be used for key establishment and identity.
Algorithms should be lumped together as a Cipher Suite that defines
a set of algorithms for key established/authentication, encryption, hashing, etc.


> 
> We have various documents that talk about this issue, for example
> draft-seitz-ace-design-considerations-00 and
> draft-seitz-ace-problem-description-01
> 
> 4) How to address cross-domain support in the initial protocol design?
> Is it a feature that can be added later easily?
> 
> draft-gerdes-ace-actors-01 talks about this aspect.
from this ...
"   According to the Internet Security Glossary [RFC4949], authentication
   is "the process of verifying a claim that a system entity or system
   resource has a certain attribute value."  Examples for attribute
   values are the ID of a device, the type of the device or the name of
   its owner.  Authentication attributes might be (but not necessarily
   are) suitable to uniquely identify an individual entity.”

The hash of the public key is a attribute that can be directly
authenticated by the key holder and is unique. The hash
process should include the encoding of the Cipher Suite
values to bind the algorithms to the instance of a key.
Other attribute bindings can be built on these unique ‘ids'

Paul

> 
> If we could get an answer to these questions during the meeting that
> would be good step forward.
> 
> Ciao
> Hannes
> 
> PS: One question that has been answered by all document in the same way
> at the moment is about the use of DTLS. Currently, everyone seems to be
> focused on using DTLS everywhere. There would be alternative approaches
> as well.
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email