IETF Logo Mail Archive

Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Michael StJohns <mstjohns@comcast.net> Thu, 21 July 2016 12:50 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E03A812D97D for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 05:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Level:
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tLfijkpBL44u for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 05:50:03 -0700 (PDT)
Received: from resqmta-ch2-05v.sys.comcast.net (resqmta-ch2-05v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C77A12DBBE for <ace@ietf.org>; Thu, 21 Jul 2016 05:49:07 -0700 (PDT)
Received: from resomta-ch2-18v.sys.comcast.net ([69.252.207.114]) by resqmta-ch2-05v.sys.comcast.net with SMTP id QDPKb0u6X2FGMQDPWb9RBA; Thu, 21 Jul 2016 12:49:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469105346; bh=Di14BmfAR0W1Llf/lMDZD0g/yOKaGdqNjnsKtsjqZi8=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=Y/Mr1jviIijCx26l3Z/8YyLS3ZbRZ+mviDlMOc+GyBvQRPKu9/9hOrvo80uFlXgBN DJpfnJx8xaZZ+1ZRUJC/vUSr8eI5FYkJuQ69wbHlPWC3P8rQR300Rk8emGBdIGddnR 18YTYBiafu6wHGQKV69CZ+xBNBOnFoAaau13C+WtmDniZ1xi9LrJpM8ongBCv4oyfQ QLySIjjHZlStKUIyXjef2BKwMbFbr3affgYFjMtsLgQ2/MLe5lnuMLj1idKPLHNGzX KoAJmUSG0nf4gcjw5a2EJTdOGFCxrfEIajAiHn3S194yZIlbgd35ClIg8hWn51s0v5 eK0UXN+jQUAKQ==
Received: from [IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81] ([IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81]) by comcast with SMTP id QDPLbjvHQjzO0QDPQbs2xH; Thu, 21 Jul 2016 12:49:04 +0000
To: ace@ietf.org
References: <578F4D59.8050005@gmx.net> <5E393DF26B791A428E5F003BB6C5342AB3716D64@OC11EXPO33.exchange.mit.edu> <23666.1469091857@obiwan.sandelman.ca> <95b0103c-ba2d-6cd8-6241-228df46e530b@sics.se>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <8ca27108-a8b9-7b07-e752-656247716708@comcast.net>
Date: Thu, 21 Jul 2016 08:49:00 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <95b0103c-ba2d-6cd8-6241-228df46e530b@sics.se>
Content-Type: multipart/alternative; boundary="------------4821AB90EAACD749DFBF7A40"
X-CMAE-Envelope: MS4wfLRK5ggtRyz1hOQVWxQ35IsbyYoVP8wsgvHAsLcC2a8kOPhUUf/wHKf8zH+xOIUeZ2EtlQJ2i0YALDDkAq5a0q2Hv5t6vZQ98ZUEC7QHDafyRU/55xD9 EvY7j5sRGdCLMmTtgnvPF+1eofgmIjE7ja5K/4elq6GbpsJlJ0WlbmBRLBANqxD3n59A90vH1rIXtw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/sxCPh3hRHsK_NO0iSrsNeCuQY9s>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 12:50:05 -0000

On 7/21/2016 5:29 AM, Ludwig Seitz wrote:
> On 2016-07-21 11:04, Michael Richardson wrote:
>>
>> Why will ACE succeed when DICE failed?
>> Does ACE now have some knowledge or mechanism that DICE couldn't have 
>> created
>> because it was out of scope?
>>
>
> ACE is (also) about authorization, which DICE wasn't. A compromised 
> lightbulb might well have the possibility to talk to a door lock 
> (using it's group key), but it would lack the authorization to do 
> anything with the lock.
>
> IMHO that's what ACE add that DICE didn't have (and wasn't chartered 
> to have).

Hi Ludwig -

Sorry - you are incorrect.

The group key is also the authorization key in the model proposed. Any 
entity that holds that key can forge a message that can cause the action 
authorized by the issuance of that key. In your example, assuming that 
the door lock and the lightbulb share the same group key, then 
compromising the lightbulb allows you to control the door lock.

In general, authentication comes with the key that you have - 
authorization is then tied to that key.  In DTLS  (as in TLS), your 
session key is also your authorization key once your TLS session is tied 
to a particular identity (e.g. via an HTTP login, via a client cert 
exchange, via OAuth).

So - cosmetic differences only.

Mike






>
> /Ludwig
>
>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email