Re: Machine Identity

Dave Crocker <dhc@dcrocker.net> Thu, 28 February 2008 16:01 UTC

Return-Path: <discuss-bounces@ietf.org>
X-Original-To: ietfarch-discuss-archive@core3.amsl.com
Delivered-To: ietfarch-discuss-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6D9428C8BB; Thu, 28 Feb 2008 08:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.879
X-Spam-Level:
X-Spam-Status: No, score=-2.879 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IeydnVA5dQlf; Thu, 28 Feb 2008 08:01:42 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E66DB28C8AA; Thu, 28 Feb 2008 08:01:37 -0800 (PST)
X-Original-To: discuss@core3.amsl.com
Delivered-To: discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADFE228C729 for <discuss@core3.amsl.com>; Thu, 28 Feb 2008 08:01:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jM929mCW67Zi for <discuss@core3.amsl.com>; Thu, 28 Feb 2008 08:01:33 -0800 (PST)
Received: from sbh17.songbird.com (unknown [IPv6:2001:470:1:76:0:ffff:4834:7146]) by core3.amsl.com (Postfix) with ESMTP id 5C37228C73D for <discuss@apps.ietf.org>; Thu, 28 Feb 2008 08:01:32 -0800 (PST)
Received: from [192.168.0.2] (adsl-68-122-124-32.dsl.pltn13.pacbell.net [68.122.124.32]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id m1SG1IMF002856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2008 08:01:23 -0800
Message-ID: <47C6DACE.1060506@dcrocker.net>
Date: Thu, 28 Feb 2008 08:01:18 -0800
From: Dave Crocker <dhc@dcrocker.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: Machine Identity
References: <20080226130527.GA1404@generic-nic.net> <20080228112318.GA23196@nic.fr>
In-Reply-To: <20080228112318.GA23196@nic.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.92/6024/Thu Feb 28 05:33:53 2008 on sbh17.songbird.com
X-Virus-Status: Clean
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Thu, 28 Feb 2008 08:01:24 -0800 (PST)
Cc: discuss@apps.ietf.org
X-BeenThere: discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: general discussion of application-layer protocols <discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@ietf.org>
List-Help: <mailto:discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=subscribe>
Sender: discuss-bounces@ietf.org
Errors-To: discuss-bounces@ietf.org


Stephane Bortzmeyer wrote:
> On Tue, Feb 26, 2008 at 02:05:27PM +0100,
>  Stephane Bortzmeyer <bortzmeyer@nic.fr>; wrote 
>  a message of 19 lines which said:
> 
>> There are solutions for some protocols (SSH keys of RFC 4251 or Host
>> Identifiers of HIP in RFC 4423 are two good examples) but no general
>> "identity layer" in the Internet architecture.
> 
> An example of an Use Case is given by IKE (RFC 4306). Section 3.5
> lists several possible identities for a machine, and there is not a
> clear unique way to define this identity (identities like ID_IPV4_ADDR
> are typically a poor way to define a machine on the network).


What I found was:

      "used for policy lookup... may be used by an
    implementation to perform access control decisions"

That means that the identifier must be persistent and public, I believe.  It's 
unlikely that a statistically rare (rather than unique) identifier would be 
acceptable for this.  That means a uniqueness registration process is required.

Domain names satisfy these requirements.

So what's wrong with using them for the applications you have in mind?

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net