Re: [Anima] Brian/anima: trust notion of ASA communications

Michael Richardson <mcr@sandelman.ca> Sun, 09 February 2020 12:13 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E2B71200FB for <anima@ietfa.amsl.com>; Sun, 9 Feb 2020 04:13:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnoysPANE9pT for <anima@ietfa.amsl.com>; Sun, 9 Feb 2020 04:13:31 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BD71200EC for <anima@ietf.org>; Sun, 9 Feb 2020 04:13:30 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [IPv6:2a02:8109:b6c0:52b8:2524:e9c1:846c:80b1]) by relay.sandelman.ca (Postfix) with ESMTPS id 020631F459; Sun, 9 Feb 2020 12:13:28 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 5E9311A29B6; Sun, 9 Feb 2020 13:13:28 +0100 (CET)
From: Michael Richardson <mcr@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>
cc: anima@ietf.org
In-reply-to: <20200207145802.GA37834@faui48f.informatik.uni-erlangen.de>
References: <20200206205949.GD14549@faui48f.informatik.uni-erlangen.de> <23372.1581026131@dooku> <20200207145802.GA37834@faui48f.informatik.uni-erlangen.de>
Comments: In-reply-to Toerless Eckert <tte@cs.fau.de> message dated "Fri, 07 Feb 2020 15:58:02 +0100."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Sun, 09 Feb 2020 13:13:28 +0100
Message-ID: <21784.1581250408@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/DeyVihoaYkTwLdc0aTh4NsrpfPs>
Subject: Re: [Anima] Brian/anima: trust notion of ASA communications
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Feb 2020 12:13:33 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    >> It seems that in an autonomic network that there ought to be a service that
    >> can be used to ask, "should I trust node FOO to do X?".

    > Sure, and i am going to run a hacked ACP node thats announcing in GRASP
    > to be the "best-ever" node to provide that service ;-) How to you
    > prohibit me to happen ? -> Anser: i dont have a fitting certificate, or
    > there is some ACP crowd intelligence that says i am untrustworthy.

a) How are you going to connect to the ACP?
b) If you say that it is because you are going to attack some existing node,
   then no number of certificate bits are going to help.

    >> That could be the (cmc)RA or another node so designated.

    > Right. Thats the "role" indications in certificate approach. And of
    > course we want to limit that to really "lifetime role assignments"
    > (lifetime larger than cert lifetime..).

But, that's the only role we need.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [