Re: [Ace] Offline operation of Resource Server

"Kumar, Sandeep" <sandeep.kumar@philips.com> Tue, 15 July 2014 07:31 UTC

Return-Path: <sandeep.kumar@philips.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0687C1B2836 for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 00:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5s308mg6HEy for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 00:31:44 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lp0014.outbound.protection.outlook.com [213.199.154.14]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECDBB1B2834 for <ace@ietf.org>; Tue, 15 Jul 2014 00:31:42 -0700 (PDT)
Received: from DB3PR04CA002.eurprd04.prod.outlook.com (10.242.134.22) by DB4PR04MB0640.eurprd04.prod.outlook.com (10.242.221.152) with Microsoft SMTP Server (TLS) id 15.0.985.8; Tue, 15 Jul 2014 07:31:40 +0000
Received: from AM1FFO11FD020.protection.gbl (2a01:111:f400:7e00::105) by DB3PR04CA002.outlook.office365.com (2a01:111:e400:9814::22) with Microsoft SMTP Server (TLS) id 15.0.990.7 via Frontend Transport; Tue, 15 Jul 2014 07:31:39 +0000
Received: from mail.philips.com (206.191.240.52) by AM1FFO11FD020.mail.protection.outlook.com (10.174.64.209) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Tue, 15 Jul 2014 07:31:39 +0000
Received: from DBXPRD9003MB059.MGDPHG.emi.philips.com ([169.254.7.47]) by DBXPRD9003HT001.MGDPHG.emi.philips.com ([141.251.25.206]) with mapi id 14.16.0459.000; Tue, 15 Jul 2014 07:31:38 +0000
From: "Kumar, Sandeep" <sandeep.kumar@philips.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [Ace] Offline operation of Resource Server
Thread-Index: AQHPn1fMzpjOsxbdr0GgVTQturd/Npuf3KKAgAAOToCAABYwAIAAvVbQ
Date: Tue, 15 Jul 2014 07:31:38 +0000
Message-ID: <BE6D13F6A4554947952B39008B0DC0153E7D4743@DBXPRD9003MB059.MGDPHG.emi.philips.com>
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca>
In-Reply-To: <8236.1405368736@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.138.227.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:206.191.240.52; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(428002)(51704005)(377454003)(189002)(13464003)(85714005)(55904004)(24454002)(199002)(106116001)(81342001)(80022001)(54356999)(95666004)(20776003)(21056001)(47776003)(97736001)(105586002)(85306003)(83322001)(2656002)(107046002)(44976005)(86362001)(66066001)(50986999)(83072002)(69596002)(64706001)(19580405001)(84676001)(79102001)(97756001)(68736004)(81156004)(92566001)(19580395003)(4396001)(93886003)(77982001)(46406003)(77096002)(74502001)(92726001)(46102001)(74662001)(101416001)(87936001)(50466002)(33656002)(81542001)(76176999)(6806004)(85852003)(104016003)(76482001)(23726002)(31966008)(99396002)(106466001)(55846006)(567094001); DIR:OUT; SFP:; SCL:1; SRVR:DB4PR04MB0640; H:mail.philips.com; FPR:; MLV:sfv; PTR:ErrorRetry; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-Forefront-PRVS: 027367F73D
Received-SPF: None (: philips.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is 206.191.240.52) smtp.mailfrom=sandeep.kumar@philips.com;
X-OriginatorOrg: philips.com
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/iyeJP5JW4zXbSPhbCK6az6lmUbM
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 07:31:46 -0000

Snip
> (This is why part of network join needs to be in scope for ACE)

+1
This certainly has to considered to create a complete solution taking the whole lifecycle of the IoT device

regards
Sandeep


> -----Original Message-----
> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Michael Richardson
> Sent: Monday, July 14, 2014 10:12 PM
> To: Hannes Tschofenig
> Cc: ace@ietf.org
> Subject: Re: [Ace] Offline operation of Resource Server
>
>
> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>     > To re-use the Kerberos language, the client gets the TGT. The real-time
>     > interaction I was talking about relates to the interaction between the
>     > resource server and the authorization server.
>
> During enrollment, the Authorization Server gets a TGT on the *resource*
> server.
> Given that, it can now issue new tickets to clients that come along that wish
> to access the resource.  The client, during enrollment, asks the (possibly
> federated list of) authorization servers for a resource ticket.
> (This is why part of network join needs to be in scope for ACE)
>
> All of the above has to occur online.
>
> Once the client has the resource ticket, the resource server can validate it
> offline.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>


________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.