IETF Logo Mail Archive

[Hipsec-rg] Hierarchical HITs

shengjiang at huawei.com (JiangSheng 66104) Tue, 20 January 2009 21:26 UTC

From: "shengjiang at huawei.com"
Date: Wed, 21 Jan 2009 05:26:07 +0800
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <alpine.LFD.2.00.0901201555340.17180@stargazer.pc.infrahip.net>
References: <000301c97aa1$9071f300$480c6f0a@china.huawei.com> <alpine.LFD.2.00.0901201555340.17180@stargazer.pc.infrahip.net>
Message-ID: <fb9ae7033f94f.3f94ffb9ae703@huawei.com>

Hi, Oleg,

Please don't take my initial meaning wrongly. I have no objection that HIP-authentication can be used for authorization, even the self-generated, non-hierarchical HIT.  Actually, in some scenarios, such as for privacy purpose, it is more suitable than HHIT.

If you read my draft, what I suggest is a hierarchical HIT architecture compatible with the flat-structured HIT architecture. In my proposal, hierarchical HIT and self-generated HIT are both supported. The advantage HHIT has is it carries more embedded information, its beloing information, and this belonging information can be verified too. It is useful for aggregation purpose.

Best regards,

Sheng

----- Original Message -----
From: Oleg Ponomarev <oleg.ponomarev at hiit.fi>
Date: Tuesday, January 20, 2009 11:15 pm
Subject: Re: [Hipsec-rg] Hierarchical HITs
To: Zhang Dacheng <zhangdacheng at huawei.com>
Cc: hipsec-rg at listserv.cybertrust.com

> Greetings!
> 
> >> I think we should distinguish authorization (deciding whether to 
> grant>> access) and authentication (verifying identity).
> 
> > I think Sheng Jiang just indicates that the authentication 
> results 
> > should be able to be used by authorisation systems. In any un-
> trivial 
> > systems, access control (AC) is performed by authorisation 
> mechanisms, 
> > and authentication results do not mean a lot if they cannot be 
> used for 
> > authorisation. HHITs can provide information about administration 
> > domains, which may be valuable for authorisation systems to make 
> AC 
> > assertions.
> 
> Could you please elaborate why HIP-authentication cannot be used 
> for 
> authorization?
> 
> 1) HIP is used to verify the identity of the host (that the host 
> possesses 
> the private key indeed)
> 
> 2) The verified identity is used for the authorization purposes: 
> simply 
> check that it is in the list of authorized identities or request 
> access 
> certificate issued to that identity by the trusted CA or whatever.
> 
> 
> The fingerprints (and other biometrics) is "self-generated" and 
> does not 
> have any hierarchy, but can be used for authorization very well.
> 
> -- 
> Regards, Oleg.
> _______________________________________________
> Hipsec-rg mailing list
> Hipsec-rg at listserv.cybertrust.com
> https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg
>

v2.23.0 | Report a Bug | By Email