Re: [Ace] Questions for the IETF#90 Meeting
Ludwig Seitz <ludwig@sics.se> Mon, 14 July 2014 09:42 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF031A0387 for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 02:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UXbiWxQetIrM for <ace@ietfa.amsl.com>; Mon, 14 Jul 2014 02:42:19 -0700 (PDT)
Received: from outbox.sics.se (outbox.sics.se [193.10.64.137]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1871A0384 for <ace@ietf.org>; Mon, 14 Jul 2014 02:42:18 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [192.36.171.201]) by outbox.sics.se (Postfix) with ESMTPS id B65E711BA for <ace@ietf.org>; Mon, 14 Jul 2014 11:42:17 +0200 (CEST)
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s6E9gH1R013709 for <ace@ietf.org>; Mon, 14 Jul 2014 11:42:17 +0200
Received: from [192.168.0.108] (unknown [85.235.11.178]) (Authenticated sender: ludwig@sics.se) by letter.sics.se (Postfix) with ESMTPSA id 8638A40116 for <ace@ietf.org>; Mon, 14 Jul 2014 11:42:17 +0200 (CEST)
Message-ID: <53C3A5F9.9010603@sics.se>
Date: Mon, 14 Jul 2014 11:42:17 +0200
From: Ludwig Seitz <ludwig@sics.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ace@ietf.org
References: <53BCF608.5010606@gmx.net> <D7E5703D-792F-447E-9B23-0F676861902F@nymbus.net> <53BD0518.8060609@gmx.net> <1EFD8C56-BB56-4395-8DFB-B015606381F9@nymbus.net> <53BE4458.2090200@gmx.net> <BDA7B83A-C4D0-4AE5-8F78-C37A2B3A8C99@nymbus.net>
In-Reply-To: <BDA7B83A-C4D0-4AE5-8F78-C37A2B3A8C99@nymbus.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080203040304000505060801"
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sics-se:default, sics-se:default, base:default, @@RPTN)
X-p0f-Info: os=Solaris 10, link=Ethernet or modem
X-CanIt-Geo: ip=85.235.11.178; country=SE; region=Skåne; city=Lund; latitude=55.7000; longitude=13.1833; http://maps.google.com/maps?q=55.7000,13.1833&z=6
X-CanItPRO-Stream: outbound-sics-se:outbound (inherits from outbound-sics-se:default, sics-se:default, base:default)
X-Canit-Stats-ID: 09Mq9GhI9 - a4d8019d45f7 - 20140714
X-Antispam-Training-Forget: https://canit.sunet.se/canit/b.php?i=09Mq9GhI9&m=a4d8019d45f7&t=20140714&c=f
X-Antispam-Training-Nonspam: https://canit.sunet.se/canit/b.php?i=09Mq9GhI9&m=a4d8019d45f7&t=20140714&c=n
X-Antispam-Training-Spam: https://canit.sunet.se/canit/b.php?i=09Mq9GhI9&m=a4d8019d45f7&t=20140714&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/gbaGERhmj6N2BITFTqisJpwHVXE
Subject: Re: [Ace] Questions for the IETF#90 Meeting
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 09:42:23 -0000
On 07/11/2014 12:56 AM, Paul Lambert wrote: > > Hannes, > >> On 07/09/2014 11:52 PM, Paul Lambert wrote: >>> Wireless (e.g. Wi-Fi ) based direct connections from one device to another. >>> - between two smart phones >>> - smart phone to headless device (e.g. hot water heater) >>> Typically no Internet connection guaranteed to be available. >> >> As currently described in the use cases an initial interaction between >> the client and the authorization server would be needed to get the >> protocol interaction working. > Thank you for the clarification … that makes sense now rereading. > > I do have fundamental problems with the overall server centric > framework, for example: > > " U4.3. Devices can access resources on other devices only if a > rule exists in the authorization server (default deny)." > and > "U4.5. Devices may cache authorization rules locally.” > > I do not see why a server is required. The authorization/policy information > required to make the decision might better be modeled as as > a functional element in the RS. The authorization information > should be available locally to the RS, but could reach out to > one or more servers in some implementions ions. > Citing from draft-seitz-ace-problem-description-01: Finally we also assume that in a significant number of cases, the server and/or the client are too constrained to handle the authorization policies and related configuration on their own. Many authorization solutions involve a centralized, trusted third party, supporting the client and/or resource server. A trusted third party provides a more scalable way to centrally manage authorization policies, in order to ensure consistent authorization decisions. The physical separation of policy decision and policy enforcement is an established principle in policy based management, e.g. [RFC2748]. To be a bit more specific: * In many cases evaluating authorization policies (not simple ACLs) will require network lookups (e.g. checking client attributes in an identity provider database). This kind of processing is too expensive for constrained devices in terms of delay time and, for battery powered devices, energy consumption. * You typically want to manage authorization policies centrally in order to keep a consistent picture of their current state. * You also typically want to centralize authorization decisions in order to generate complete audit logs. * If authorization policies change frequently you want to avoid having to provision each of these updates to all the affected resource servers. Note the separation of policy decisions and policy enforcement here. The Authorization Server is expected to do decisions, while the RS does enforcement. I hope that clarifies things a bit. /Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
- [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Ralph Droms
- Re: [Ace] Questions for the IETF#90 Meeting Michael Richardson
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Carsten Bormann
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Göran Selander
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Paul Lambert
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Hannes Tschofenig
- Re: [Ace] Questions for the IETF#90 Meeting Ludwig Seitz
- Re: [Ace] Questions for the IETF#90 Meeting Robert Cragie
- Re: [Ace] Questions for the IETF#90 Meeting Ludwig Seitz
- Re: [Ace] Questions for the IETF#90 Meeting Robert Cragie
- Re: [Ace] Questions for the IETF#90 Meeting Michael Richardson