Re: [Ace] Offline operation of Resource Server

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 14 July 2014 20:12 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4391A0ACE for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 13:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.542
X-Spam-Level:
X-Spam-Status: No, score=-2.542 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nwbMWbAoauq for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 13:12:17 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 493141A00A3 for <ace@ietf.org>; Mon, 14 Jul 2014 13:12:17 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D76F720028; Mon, 14 Jul 2014 16:13:27 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 3466163B0E; Mon, 14 Jul 2014 16:12:16 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 1FDC463AED; Mon, 14 Jul 2014 16:12:16 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <53C42703.4060806@gmx.net>
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Mon, 14 Jul 2014 16:12:16 -0400
Message-ID: <8236.1405368736@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/cI5VbveuXBWk1nrP9WP2HBRJXwE
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 20:12:18 -0000

Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
    > To re-use the Kerberos language, the client gets the TGT. The real-time
    > interaction I was talking about relates to the interaction between the
    > resource server and the authorization server.

During enrollment, the Authorization Server gets a TGT on the *resource* server.
Given that, it can now issue new tickets to clients that come along that wish
to access the resource.  The client, during enrollment, asks the (possibly
federated list of) authorization servers for a resource ticket.
(This is why part of network join needs to be in scope for ACE)

All of the above has to occur online.

Once the client has the resource ticket, the resource server can validate it offline.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-