Re: [Ace] Offline operation of Resource Server
Ludwig Seitz <ludwig@sics.se> Tue, 15 July 2014 08:30 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58971A0366 for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 01:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zd-vS9AOJCS for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 01:30:07 -0700 (PDT)
Received: from outbox.sics.se (outbox.sics.se [193.10.64.137]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1421A0343 for <ace@ietf.org>; Tue, 15 Jul 2014 01:30:07 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [192.36.171.201]) by outbox.sics.se (Postfix) with ESMTPS id 6AEE26EA; Tue, 15 Jul 2014 10:30:06 +0200 (CEST)
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s6F8U6qJ019907; Tue, 15 Jul 2014 10:30:06 +0200
Received: from [192.168.0.108] (unknown [85.235.11.178]) (Authenticated sender: ludwig@sics.se) by letter.sics.se (Postfix) with ESMTPSA id 1F20940116; Tue, 15 Jul 2014 10:30:06 +0200 (CEST)
Message-ID: <53C4E68D.9030004@sics.se>
Date: Tue, 15 Jul 2014 10:30:05 +0200
From: Ludwig Seitz <ludwig@sics.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Likepeng <likepeng@huawei.com>, "ace@ietf.org" <ace@ietf.org>
References: <53C3C09A.5090707@gmx.net> <14018.1405360899@sandelman.ca> <53C42703.4060806@gmx.net> <8236.1405368736@sandelman.ca> <53C4C082.3020909@sics.se> <34966E97BE8AD64EAE9D3D6E4DEE36F2581780BF@SZXEMA501-MBS.china.huawei.com>
In-Reply-To: <34966E97BE8AD64EAE9D3D6E4DEE36F2581780BF@SZXEMA501-MBS.china.huawei.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050408000701050908080405"
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sics-se:default, sics-se:default, base:default, @@RPTN)
X-p0f-Info: os=Solaris 10, link=Ethernet or modem
X-CanIt-Geo: ip=85.235.11.178; country=SE; region=Skåne; city=Lund; latitude=55.7000; longitude=13.1833; http://maps.google.com/maps?q=55.7000,13.1833&z=6
X-CanItPRO-Stream: outbound-sics-se:outbound (inherits from outbound-sics-se:default, sics-se:default, base:default)
X-Canit-Stats-ID: 09Mqwu6km - 228e94397c44 - 20140715
X-Antispam-Training-Forget: https://canit.sunet.se/canit/b.php?i=09Mqwu6km&m=228e94397c44&t=20140715&c=f
X-Antispam-Training-Nonspam: https://canit.sunet.se/canit/b.php?i=09Mqwu6km&m=228e94397c44&t=20140715&c=n
X-Antispam-Training-Spam: https://canit.sunet.se/canit/b.php?i=09Mqwu6km&m=228e94397c44&t=20140715&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/xW85gG0xRf1i8llAKsXd8neMDNI
Subject: Re: [Ace] Offline operation of Resource Server
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 08:30:10 -0000
On 07/15/2014 10:25 AM, Likepeng wrote: > Hi Ludwig, > >> It means exactly the kind of offline validation that Michael described above. >> >> 1. You need some initial enrollment of AS <-> RS (that could be online or offline >> & manual such as by reading off some QR code with the RSs initial key material >> and feeding that to the AS). >> >> 2. Then you need some online authorization decision step between C and AS. >> >> 3. Then (possibly later) there is some interaction between C and RS, that could >> be offline. Here RS needs to be able to do offline validation of the >> authorization decision from step 2. > > This seems to be the normal flow. > > If I check the draft section 4.3.4, in the normal flow, the RS also does not need to contact the AS for the online validation of the access token. > http://tools.ietf.org/html/draft-selander-core-access-control-02 > > Do you mean Client is also offline, and can't contact with AS? > I haven't really considered that, but it might be the case that in step 3. even the client is offline. Think about the example Göran gave: > > One example of offline operations is for field technicians to physical > access radio base station sites: > If the base station is malfunctioning, there may be no cellular coverage > at the site, and the field technician need to access the site to repair > the base station (which then may become a catch 22). -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
- [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Göran Selander
- Re: [Ace] Offline operation of Resource Server Kumar, Sandeep
- Re: [Ace] Offline operation of Resource Server Likepeng
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz
- Re: [Ace] Offline operation of Resource Server Hannes Tschofenig
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Josh Howlett
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Michael Richardson
- Re: [Ace] Offline operation of Resource Server Rafa Marin Lopez
- Re: [Ace] Offline operation of Resource Server Ludwig Seitz