RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
Madjid Nakhjiri <mnakhjiri@huawei.com> Fri, 20 July 2007 17:34 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBwMc-00048J-7l; Fri, 20 Jul 2007 13:34:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBwMa-00048E-RW for hokey@ietf.org; Fri, 20 Jul 2007 13:34:00 -0400
Received: from usaga01-in.huawei.com ([206.16.17.211]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IBwMZ-0003iQ-2W for hokey@ietf.org; Fri, 20 Jul 2007 13:34:00 -0400
Received: from huawei.com (usaga01-in [172.18.4.6]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JLH000JZNGM4V@usaga01-in.huawei.com> for hokey@ietf.org; Fri, 20 Jul 2007 10:33:58 -0700 (PDT)
Received: from N737011 ([10.192.25.70]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0JLH00DHHNGHFK@usaga01-in.huawei.com> for hokey@ietf.org; Fri, 20 Jul 2007 10:33:58 -0700 (PDT)
Date: Fri, 20 Jul 2007 10:33:53 -0700
From: Madjid Nakhjiri <mnakhjiri@huawei.com>
Subject: RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB262504625A01@xmb-sjc-215.amer.cisco.com>
To: "'Glen Zorn (gwz)'" <gwz@cisco.com>, 'Yoshihiro Ohba' <yohba@tari.toshiba.com>
Message-id: <005801c7caf4$24ff4a90$4619c00a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AcfHVuBSZPw+8Su3St+eBdsKTgwHNwABcDcgALm619AACmDOUAAg7L3w
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93df555cbdbcdae9621e5b95d44b301e
Cc: 'Sam Hartman' <hartmans-ietf@mit.edu>, 'Tim Polk' <tim.polk@nist.gov>, housley@vigilsec.com, hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
Ok, I am quite aware of proxy issues. in case you guys forgot IETF has a document called draft-housley-aaa-key-mgmt-09.txt that has a section Limit key scope Following the principle of least privilege, parties MUST NOT have access to keying material that is not needed to perform their role. A party has access to a particular key if it has access to all of the secret information needed to derive it. Any protocol that is used to establish session keys, MUST specify the scope for session keys, clearly identifying the parties to whom the session key is available. The sec area directorate and Tim just asked us to address the issues of proxies regarding a MIP4-RADIUS document and take Housley-aaa-key requirements into consideration when it comes to MIP keys transport, and for the record we are not using a 3 party distribution there.. We had addressed zorn-key-wrap draft in that discussion, but obviously IETF traction of that document is slow too. Obviously this group and IETF needs to solve the proxy problem one way or the other, 3 party protocol or not, keys are going to go over proxies somehow, if you have a Kerberos proposal, lets see it, even a "term paper" like piece would be appreciated. After all this is an engineering forum, even though the management style of treating volunteers leaves things to be desired some times... As far as taking critique, may be I send (to this list) some of the conversations where I time after time asked to take the discussions to the public list, without any resolve... Also, it is appreciated if the chairs are a bit more available than 2 emails/month if they are going to call their own WG docs "term paper".. By approved I meant approved as ietf-hokey-... not approved by IETF. I believe this is the note I got from Charles: "Madjid, Thanks for all your work on the key delivery document. After a brief skim, it looks MUCH more like what I was envisioning. I'll read it in detail in the next week and send more specific comments. " So maybe between the two of you, you can decide what it is you want?? As for me, may be I should go earn my pay check now. Madjid -----Original Message----- From: Glen Zorn (gwz) [mailto:gwz@cisco.com] Sent: Thursday, July 19, 2007 6:51 PM To: Madjid Nakhjiri; Yoshihiro Ohba Cc: hokey@ietf.org Subject: RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00 Madjid Nakhjiri <mailto:mnakhjiri@huawei.com> allegedly scribbled on Thursday, July 19, 2007 1:49 PM: > Nice attaboy from the co-chair on two public lists, I thought a > clarification is needed (just on HOKEY list however). The initial > thought coming to mind is: > > > You put your right hand in, > You put your right hand out, > You put your right hand in, > And you shake it all about, > > You do the hokey pokey > and you turn yourself around > That what it's all about. > > From http://www.scoutsongs.com/lyrics/hokeypokey.html (to listen to) > > I guess when we named the WG "hokey", we had no idea what we were > getting into. > > As an editor and contributor I have the opinion all along that the > key-mgm-doc should cover the entire key hierarchy from EMSK down to > per-authenticator key and since there are two way of doing things > (EMSK->HRK->Domain specific HRK, versus EMSK->DSRK->domain specific > HRK) we should discuss the hierarchies and key holders architecture > for both. We should discuss detailed format of information being > passed, and agreed to leave the signaling format specifics to ERX. As > editors we were just following a co-chair instructions to allow ERX > to include Diameter AVP/RADIUS attribute descriptions. Not having > discussed the specific architecture for key holders, we had to come > up with a few to keep the discussion generic.. > > The Key-mgm doc is prepared based on Charles directions (following > his hokey-plan doc and follow up emails) to turn the 3 party and > hokey-key-hierarchy into a new doc and to not do any hokey-specific > details, keep the key hierarchy out, discuss a high level > distribution mechanism, and keep any specific AAA protocol/ AVP > specifications doc out, leaving everything for another document that > does signaling. > > I think we should start discussing and deciding these things should > be discussed on the WG list, like the rest of IETF, using issue > trackers, rather calling the _approved_ doc a "term paper". That document has as far as I know not been "approved" as anything but a starting point. If you think otherwise that's a shame. But let's see if I've got this straight: you want to discuss things on the "public" list _unless_ that discussion is critical of your work? > So far it > seems, we are continuing in the spirit of HOKEY: > > "and you turn yourself around > That what it's all about." Very cute. How about addressing the actual issues (like how the Otway-Reese derivative you propose actually would work in a proxied network) instead of obsessing over what you appear to have taken as an insult. I don't think it will: prove me wrong. Kerberos, OTOH _could_ work in something like a proxied network because direct trust relationships between all realm are not required, but you don't talk about it. > > I have no problem including specific AAA references Specific AAA references are unnecessary, but references to the real world would be very welcome. > there and include > an actual deployable architecture for HOKEY including key delivery > (at least the high level keys), if we get the green light from the > WG... > > Just responding publicly??? > > Madjid > > -----Original Message----- > From: Glen Zorn (gwz) [mailto:gwz@cisco.com] > Sent: Sunday, July 15, 2007 9:01 PM > To: Yoshihiro Ohba > Cc: kgaonkar3@gatech.edu; radiusext@ops.ietf.org; hokey@ietf.org > Subject: RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00 > > Yoshihiro Ohba <mailto:yohba@tari.toshiba.com> allegedly scribbled on > Sunday, July 15, 2007 7:27 PM: > >> I agree with Glen's analysis (except that the entity that requests a >> DSRK from home domain server is a visited domain server, not a NAS in >> my reading of the draft). Security property of a key management >> mechanism that relies on a particular AAA protocol deployment can >> easily be lost when the AAA protocol is deployed in a wrong way >> (e.g., placing a AAA proxy that can read the key on the key >> distribution path). The problem with such an approach is there is no >> protocol-level mechanism to prevent mis-deployment of AAA protocol. I >> don't think such a mechanism should survive in the long run. > > Whether or not it should is a theoretical question: the fact is that > it has & most likely will for the foreseeable future. > >> >> A securer and cleaner way to avoid dependency on AAA protocol >> deployment is to use a 3-party key distribution protocol that does >> not rely on underlying transport security. HOKEY WG is already >> taking that approach: draft-ietf-hokey-key-mgm-00.txt. > > I'd just like to reiterate (as co-chair) that if this document is to > survive, it needs to become a lot more protocol specification & a lot > less term paper rather quickly. There is far too much handwaving > going on for it to be taken seriously: the document needs to clearly > & precisely state how it will work in _existing networks_ (hint: "we > assume green-field deployments" is _not_ acceptable as far as I'm > concerned). In addition, if a three-party protocol is actually > required from a practical point of view, there need to be very good > reasons why an existing standard (i.e., Kerberos) is not usable. > > _______________________________________________ > HOKEY mailing list > HOKEY@ietf.org > https://www1.ietf.org/mailman/listinfo/hokey _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] comments on draft-gaonkar-radext-erp-attr… Glen Zorn (gwz)
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Yoshihiro Ohba
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- [HOKEY] Re: comments on draft-gaonkar-radext-erp-… Lakshminath Dondeti
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Narayanan, Vidya
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Narayanan, Vidya
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- [HOKEY] RE: comments on draft-gaonkar-radext-erp-… Narayanan, Vidya
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Madjid Nakhjiri
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Dan Harkins
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Alan DeKok
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Dan Harkins
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Dan Harkins
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Madjid Nakhjiri
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Sam Hartman
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Madjid Nakhjiri
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Madjid Nakhjiri
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Yoshihiro Ohba
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Glen Zorn (gwz)
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Charles Clancy
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-… Madjid Nakhjiri
- Re: [HOKEY] comments on draft-gaonkar-radext-erp-… Charles Clancy