Re: [HOKEY] Review of draft-gaonkar-radext-erp-attrs-02.txt
Lakshminath Dondeti <ldondeti@qualcomm.com> Fri, 11 January 2008 18:20 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JDOU7-0001zm-CY; Fri, 11 Jan 2008 13:20:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JDOU6-0001zh-N6 for hokey@ietf.org; Fri, 11 Jan 2008 13:20:02 -0500
Received: from wolverine02.qualcomm.com ([199.106.114.251]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JDOU4-000273-KL for hokey@ietf.org; Fri, 11 Jan 2008 13:20:02 -0500
DomainKey-Signature: s=qcdkim; d=qualcomm.com; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:Received:Message-ID:Date: From:User-Agent:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=P5S1xLGGCRFRUGtiSdghSuvfnASdKchz/UPUwg6GqOdtq/uetj/0pdZZ 9sQendOd+hJrWOVNg3IPVG/luD+ACeO2IPFEhkHf6DP6phb4pYZzaX7yd y0/UJRYnD3Ost9eQlw/tAqRawotSh9xZt0zvRZDcwoJToJ8nk6VBKK9nl s=;
X-IronPort-AV: E=McAfee;i="5100,188,5204"; a="481221"
Received: from numenor.qualcomm.com ([129.46.51.58]) by wolverine02.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Jan 2008 10:19:57 -0800
Received: from msgtransport01.qualcomm.com (msgtransport01.qualcomm.com [129.46.61.148]) by numenor.qualcomm.com (8.14.1/8.12.5/1.0) with ESMTP id m0BIJuEC002583 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 11 Jan 2008 10:19:56 -0800
Received: from [10.50.68.133] (qconnect-10-50-68-133.qualcomm.com [10.50.68.133]) by msgtransport01.qualcomm.com (8.14.1/8.14.2/1.0) with ESMTP id m0BIJsqt024088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 11 Jan 2008 10:19:55 -0800
Message-ID: <4787B348.5030605@qualcomm.com>
Date: Fri, 11 Jan 2008 10:19:52 -0800
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
Subject: Re: [HOKEY] Review of draft-gaonkar-radext-erp-attrs-02.txt
References: <477D1029.2060502@deployingradius.com> <1608.69.12.173.8.1199495480.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB9032513C22802@NAEX13.na.qualcomm.com> <4062.69.12.173.8.1199655622.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB9032513C22A67@NAEX13.na.qualcomm.com> <47843CFD.3040900@deployingradius.com> <C24CB51D5AA800449982D9BCB9032513CF47ED@NAEX13.na.qualcomm.com> <4785467D.1050607@deployingradius.com> <C24CB51D5AA800449982D9BCB9032513CF486 9@NAEX13.na. qualcomm.com> <7105.216.31.249.246.1199927549.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB9032513CF488D@NAEX13.na.qualcomm.com> <4785DEDC.7070707@deployingradius.com> <47867277.3040206@qualcomm.com> <4095.69.12.173.8.1199995955.squirrel@www.trepanning.net> <478686B1.6090300@qualcomm.com> <4814.69.12.173.8.1200010568.squirrel@www.trepanning.net> <4786C4F7.7030506@qualcomm.com> <3355.69.12.173.8.1200074790.squirrel@www.trepanning.net>
In-Reply-To: <3355.69.12.173.8.1200074790.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3a4bc66230659131057bb68ed51598f8
Cc: hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
On 1/11/2008 10:06 AM, Dan Harkins wrote: > Hi Lakshminath, > > On Thu, January 10, 2008 5:23 pm, Lakshminath Dondeti wrote: >> I will try to be positive Dan :). >> >> One of the reasons I point to the old discussions and consensus >> agreements is that we have a colorful history in the IETF in going over >> things again and again, not always to improve things. We are also not >> really perfect in our designs either. So I am not sure really the point >> in debating things endlessly. >> >> But, I respect your insight into protocol design. You have done this >> longer than I have and perhaps we were all wrong in the key hierarchy >> design. > > Thank you for your kind words. But I don't actually think things were > all wrong necessarily. I had an understanding that the peer would need > to authenticate "the network". I had an understanding that a 3 party > protocol would be needed to ensure that. Therefore, in my mind at least, > a key hierarchy was needed. > > But I had an epiphany in Vancouver. The peer _doesn't care_ about > authenticating "the network". He just wants service. That being the case > he doesn't care if his network access credential (that blob-of-bits that > he proves possession of to obtain network access) is shared between the > distributed entities that comprise "the network". That being the case the > key hierarchy becomes an unnecessary complexity. > > When I described this epiphany to Russ and others it came out as one > of "enterprise" versus "service provider" but I really believe the > distinction is whether the peer requires authentication of the entity > it is connecting to. If it does then I strongly believe a 3 party protocol > is needed, and a key hierarchy thefore makes sense; if it doesn't then > you don't need a 3 party protocol and you don't need a key hierarchy. > > I remember asking you in Vancouver when you thought a 3 party protocol > would be needed in HOKEY. You said, "never". > >> So, let me try another way. Here is what is needed from the >> EMSK hierarchy. >> * to be able to derive various usage specific keys from the EMSK (by the >> way the typo was the omission of the word "directly"; we don't want to >> use the EMSK directly for reauthentication;) > > Right, we don't want to use the EMSK for HOKEY. So we can derive a > HOKEY key. Specific for allowing the peer to do handoffs. He proves > possession of the HOKEY key and he gets network access. > >> * deliver domain specific keys so the domain servers can do the same thing > > Deliver the HOKEY key to the servers through normal AAA mechanisms. > >> So this makes the hierarchy >> >> EMSK >> / / \ >> / / \ >> USRK[1..n] DSRK1 DSRK2 ... (derived as needed) >> / \ >> DSUSRK[1..m1] DSUSRK[1..m2] > > So this makes the hierarchy > > EMSK > | > HOKEY-KEY > >> There are 2 levels in the key hierarchy. The two reasons above explain >> the two levels. > > Well you want to derive usage specific keys. That is the reason for > this key hierarchy. And the need for these usage specific keys is.... > Well one of them is for handoffs. There is no justification for a > multiplicity of them though. So we have a need for one "usage specific" > key derived from the EMSK. Let's call that the HOKEY-KEY and get rid of > a whole layer of this key hierarchy. Then this DSUSRK stuff is next. > >> With the above hierarchy, the USRKs are never sent out. If there is >> dispute in billing when the rMSK is derived solely from the USRK (rRK), >> then the operator would know that the error is not due to any >> EAP-related protocols or proxies for that matter. Likewise, if there >> are repeated billing issues associated with VisitedOperator1 and there >> is end-to-end security in delivering DSRKs, then the operator can infer >> that there are issues associated with VisitedOperator1. Now of course, >> when proxies are involved it is not so clear. There are strategies to >> get around that too. For instance, the operator may program the >> smartcard in the peer to maintain usage statistics and can fetch them >> when there are such issues. In that case again, the operator may be >> able to make inferences about where the problem is. > > But this rRK business is from a different key hierarchy defined in a > different document, right? It's _below_ the whole EMSK-USRK-DSRK-DSUSRK > tree you drew above, right? So I don't really see how that justifies > all the cruft above it. I will respond to the rest later Dan, but this caught my attention and I thought I should clarify quickly: EMSK / \ HOKEY-KEY DSRK / HOKEY-KEY So, we are only debating 1-level vs. and optional 2-level key hierarchy. regards, Lakshminath > > regards, > > Dan. > > > > _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] Review of draft-gaonkar-radext-erp-attrs-… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re:RE: [HOKEY] Review of draft-gaonkar-radext-erp… wan.changsheng
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Yoshihiro Ohba
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re:RE: [HOKEY] Review of draft-gaonkar-radext-erp… wan.changsheng
- Re:Re:RE: [HOKEY] Review of draft-gaonkar-radext-… wan.changsheng
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Yoshihiro Ohba
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Yoshihiro Ohba
- Re:Re: [HOKEY] Review of draft-gaonkar-radext-erp… wan.changsheng
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re:Re: [HOKEY] Review of draft-gaonkar-radext-erp… wan.changsheng
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Yoshihiro Ohba
- Re: Re: [HOKEY] Review of draft-gaonkar-radext-er… Yoshihiro Ohba
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- Re:Re: Re: [HOKEY] Review of draft-gaonkar-radext… wan.changsheng
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Glen Zorn
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Yoshihiro Ohba
- Re:RE: [HOKEY] Review of draft-gaonkar-radext-erp… wan.changsheng
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re:RE: [HOKEY] Review of draft-gaonkar-radext-erp… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Nakhjiri Madjid-VXT746
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Nakhjiri Madjid-VXT746
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Dan Harkins
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- RE: [HOKEY] Review of draft-gaonkar-radext-erp-at… Narayanan, Vidya
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Alan DeKok
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Lakshminath Dondeti
- Re: [HOKEY] Review of draft-gaonkar-radext-erp-at… Charles Clancy