Re: Machine Identity

der Mouse <mouse@Rodents.Montreal.QC.CA> Tue, 26 February 2008 18:06 UTC

Return-Path: <discuss-bounces@ietf.org>
X-Original-To: ietfarch-discuss-archive@core3.amsl.com
Delivered-To: ietfarch-discuss-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A04228C749; Tue, 26 Feb 2008 10:06:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.392
X-Spam-Level:
X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqiN0xvHMElq; Tue, 26 Feb 2008 10:06:37 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D80C28C725; Tue, 26 Feb 2008 10:06:09 -0800 (PST)
X-Original-To: discuss@core3.amsl.com
Delivered-To: discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C53928C6CB for <discuss@core3.amsl.com>; Tue, 26 Feb 2008 10:06:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfmnjOJREDnn for <discuss@core3.amsl.com>; Tue, 26 Feb 2008 10:06:06 -0800 (PST)
Received: from Sparkle.Rodents.Montreal.QC.CA (Sparkle.Rodents.Montreal.QC.CA [216.46.5.7]) by core3.amsl.com (Postfix) with ESMTP id 4F20228C3E5 for <discuss@apps.ietf.org>; Tue, 26 Feb 2008 10:03:41 -0800 (PST)
Received: (from mouse@localhost) by Sparkle.Rodents.Montreal.QC.CA (8.8.8/8.8.8) id NAA21846; Tue, 26 Feb 2008 13:03:30 -0500 (EST)
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200802261803.NAA21846@Sparkle.Rodents.Montreal.QC.CA>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Tue, 26 Feb 2008 12:50:50 -0500 (EST)
To: discuss@apps.ietf.org
Subject: Re: Machine Identity
In-Reply-To: <20080226160412.GA22833@nic.fr>
References: <20080226130527.GA1404@generic-nic.net> <200802261547.KAA20917@Sparkle.Rodents.Montreal.QC.CA> <20080226160412.GA22833@nic.fr>
X-BeenThere: discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@ietf.org>
List-Help: <mailto:discuss-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=subscribe>
Sender: discuss-bounces@ietf.org
Errors-To: discuss-bounces@ietf.org

> Such an identity should be almost unique (as is a number choosen at
> random in a very large space) and the machine should be able to prove
> that it indeed "owns" this identity (as is an ID which is the public
> part of a cryptographic key).

> For me, SSH keys or HIP Host Identifiers fulfill these requirments.

Then you have a relatively loose definition of "owns", because an SSH
identity demonstrates merely that the host has the cooperation of
someone who owns the identity.  Furthermore, there may be multiple
machines that own the identity in the sense of having the private data,
since the private data can be copied between machines.

That may be fine for your purposes, but there are people, such as DRM
wonks, to whom either of those two properties ("has the cooperation
of", and copyability) is unacceptable.  As someone remarked upthread,
get host identities and you'll find that lots of people actually want
something slightly different from host identities (no matter what value
of "host identities" it is you get).

Of course, for on-the-wire purposes, you can't prove more than "has the
cooperation of" no matter what you do; all you can demonstrate is that
some entity able to act as the other end of that packet stream you're
seeing has the identity in question.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B