Re: [i2rs] quick comment on draft-hares-i2rs-auth-trans-00
Alia Atlas <akatlas@gmail.com> Tue, 23 June 2015 14:20 UTC
Return-Path: <akatlas@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD4C21A8F4A for <i2rs@ietfa.amsl.com>; Tue, 23 Jun 2015 07:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.999
X-Spam-Level:
X-Spam-Status: No, score=-103.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsrCSv9-1S6a for <i2rs@ietfa.amsl.com>; Tue, 23 Jun 2015 07:20:35 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D37E21A8F42 for <i2rs@ietf.org>; Tue, 23 Jun 2015 07:20:34 -0700 (PDT)
Received: by obbop1 with SMTP id op1so7081295obb.2 for <i2rs@ietf.org>; Tue, 23 Jun 2015 07:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dL1oVyxUa9rDrfASN7ApwmhrDnXuvK+uZWJXKLWa2mQ=; b=kZ2IpUQdSllTHaUT9/KsIIPjJotWRZeucQrAzZjH+G9M1hAwpNBI6TK8hMB7A7seae fvTTAJtgWTd5agDYZUF/jIA/xdlTPp6GcwfExBr6D32R7YPtG9GYL9YhuOLLFBOecZav fL0WkG4yCw3BYeX4zKXRFevqqQ37p01BkyPQuz4tW7+D6Zid2MRQTeBTVNMO4siKYRSk aHzrdRbweB6/cIRK1ANtaqhriH/9Ti3M97KN4mKBzGP+xNp6UptfalX1p3Qrz1sL3W+6 VpmtMP5IYgxJjAAOwMGrb1fr5qdEsVSoX6q+Oz3UxP/Qq/VwB9h+CCoJbC1j3EBGQXx8 iGug==
MIME-Version: 1.0
X-Received: by 10.60.156.130 with SMTP id we2mr30206525oeb.24.1435069234341; Tue, 23 Jun 2015 07:20:34 -0700 (PDT)
Received: by 10.60.165.145 with HTTP; Tue, 23 Jun 2015 07:20:34 -0700 (PDT)
In-Reply-To: <1E0ED488-9114-4909-BD6F-EC9F6296FB4F@telefonica.com>
References: <CAG4d1retauAwC3MrDUvgJFoWxMrQiFtXAQq1kt=D0gxdrkQdOg@mail.gmail.com> <296D132F-5E2E-495A-AEB9-17B161BC7286@telefonica.com> <CAG4d1rcWRCYm1VYx6SacoBmk+X2AXzZjgXAiG4q24C-XQV-oag@mail.gmail.com> <1E0ED488-9114-4909-BD6F-EC9F6296FB4F@telefonica.com>
Date: Tue, 23 Jun 2015 10:20:34 -0400
Message-ID: <CAG4d1rc8s433QXoeLtHy75T55E1A4o8VaJUxc-83+R0S=z3_Aw@mail.gmail.com>
From: Alia Atlas <akatlas@gmail.com>
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
Content-Type: multipart/alternative; boundary="089e01182852f0ef2305193017c5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/fJHZ7oWZioy2lkYuujiUwZ9VSlQ>
Cc: "i2rs@ietf.org" <i2rs@ietf.org>
Subject: Re: [i2rs] quick comment on draft-hares-i2rs-auth-trans-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 14:20:40 -0000
Hi Diego, On Jun 23, 2015 9:41 AM, "DIEGO LOPEZ GARCIA" <diego.r.lopez@telefonica.com> wrote: > Hi Alia, > > My understanding was that secondary identity was not intended to be only > a general declaration made by the client, in which case what you say > definitely holds. If the trust model at the agent does not completely rely > on client assertions, the only way in which I see you can ensure > traceability is by associating data with a minimum level of assurance, in > despite of those data being opaque or not to the entities providing or > recording them. > > I believe that the secondary identity is intended to be only a general declaration made by the client. It's the minimum to provide some traceability without complicated support for the broker client model. That is why it is merely an opaque value to the agent; it has no meaning and isn't verified but merely stored. With the primary identity verified and an integrity-protected channel for writing state, I think that secondary identity will be whatever the associated client sent. By having that opaque value recorded, an operator can compare it to what the client thinks was happening. Certainly, that's the discussion and conclusion that I recall and I haven't seen any further discussion to make me think that the conclusion has changed. Regards, Alia > If the first assumption holds, I'll stay corrected and support your > comment to section 3.1. If not, I'd say I have a point here... > > Be goode, > > On 23 Jun 2015, at 14:10 , Alia Atlas <akatlas@gmail.com> wrote: > > Hi Diego, > > The secondary identity is just an opaque value to allow traceability. > It's to support a > client easily being a broker for multiple applications. I don't agree > that there is value > in trying to secure the secondary identity the way you are describing. > This path leads > to there being basically no value for having secondary identities. > > Regards, > Alia > > On Tue, Jun 23, 2015 at 9:02 AM, DIEGO LOPEZ GARCIA < > diego.r.lopez@telefonica.com> wrote: > >> >> --Apple-Mail=_B6401857-FE32-45EF-A393-65E1C90F6FC1 >> Content-Transfer-Encoding: quoted-printable >> Content-Type: text/plain; >> charset=us-ascii >> >> Hi Alia, >> >> Just a remark on your comment about section 3.1: I think the current = >> requirement of associating a single secondary identity per connection = >> does make sense if we want to keep traceability over I2RS secure = >> transports.=20 >> >> You need to associate secondary identities with primary ones in a secure = >> way to guarantee such traceability, and the mechanisms for this I can = >> imagine using current transports (such as a certificate extension or = >> alternate identity, or additional information in secure tokens) are = >> associated with connection handshake, and therefore re-association is = >> complicated to implement without restarting the connection. Note I say = >> complicated, not impossible, but I cannot see the advantage in the = >> additional complexity, especially when experience shows that additional = >> complexity becoming source of security flaws... >> >> Be goode, >> >> On 11 Jun 2015, at 22:11 , Alia Atlas <akatlas@gmail.com> wrote: >> >> > <no-hat> >> >=20 >> > Sue, >> >=20 >> > Thanks for writing this draft. I think it is useful to clearly = >> articulate the outside-of-I2RS behavior and protocols that are needed = >> for the mutual authentication. I do have a couple comments on the = >> draft. >> >=20 >> >=20 >> > In Sec 3.1, it says "Each Identity will be linked to one secondary = >> identity for the period of a connection." I would have assumed that the = >> client could arbitrarily change its' secondary identity. This is to = >> support the broker case where a client may be passing along requests = >> from multiple applications. Since the secondary identity is just passed = >> along and stored for traceability, I don't think that allowing it to = >> change would cause significant complications. What do others think? >> >=20 >> >=20 >> > In the I2RS architecture, there are 3 different types of transaction = >> behavior desired for processing a message. In Sec 4, there's an = >> assumption that "fail-on-error" with the associated roll-back is the = >> only mode. Thus, I think that Section 4 needs a bit of massaging. >> >=20 >> >=20 >> > Thanks, >> >=20 >> > Alia >> > _______________________________________________ >> > i2rs mailing list >> > i2rs@ietf.org >> > https://www.ietf.org/mailman/listinfo/i2rs >> >> -- >> "Esta vez no fallaremos, Doctor Infierno" >> >> Dr Diego R. Lopez >> Telefonica I+D >> http://people.tid.es/diego.lopez/ >> >> e-mail: diego.r.lopez@telefonica.com >> Tel: +34 913 129 041 >> Mobile: +34 682 051 091 >> ---------------------------------- >> >> >> --Apple-Mail=_B6401857-FE32-45EF-A393-65E1C90F6FC1 >> Content-Transfer-Encoding: quoted-printable >> Content-Type: text/html; >> charset=us-ascii >> >> <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = >> charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = >> -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi = >> Alia,<div><br></div><div>Just a remark on your comment about section = >> 3.1: I think the current requirement of associating a single secondary = >> identity per connection does make sense if we want to keep traceability = >> over I2RS secure transports. </div><div><br></div><div>You need to = >> associate secondary identities with primary ones in a secure way to = >> guarantee such traceability, and the mechanisms for this I can imagine = >> using current transports (such as a certificate extension or alternate = >> identity, or additional information in secure tokens) are associated = >> with connection handshake, and therefore re-association is complicated = >> to implement without restarting the connection. Note I say complicated, = >> not impossible, but I cannot see the advantage in the additional = >> complexity, especially when experience shows that additional complexity = >> becoming source of security flaws...</div><div><br></div><div>Be = >> goode,</div><div><br><div><div>On 11 Jun 2015, at 22:11 , Alia Atlas = >> <<a href=3D"mailto:akatlas@gmail.com">akatlas@gmail.com</a>> = >> wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = >> type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html; = >> charset=3Dutf-8"><div >> dir=3D"ltr"><no-hat><br><br>Sue,<br><br>Thanks= >> for writing this draft. I think it is useful to clearly = >> articulate the outside-of-I2RS behavior and protocols that are needed = >> for the mutual authentication. I do have a couple comments on the = >> draft.<br><br><br>In Sec 3.1, it says "Each Identity will be linked to = >> one secondary identity for the period of a connection." I would = >> have assumed that the client could arbitrarily change its' secondary = >> identity. This is to support the broker case where a client may be = >> passing along requests from multiple applications. Since the = >> secondary identity is just passed along and stored for traceability, I = >> don't think that allowing it to change would cause significant = >> complications. What do others think?<br><br><br>In the I2RS = >> architecture, there are 3 different types of transaction behavior = >> desired for processing a message. In Sec 4, there's an assumption that = >> "fail-on-error" with the associated roll-back is the only mode. = >> Thus, I think that Section 4 needs a bit of = >> massaging.<br><br><br>Thanks,<br><br>Alia</div> >> _______________________________________________<br>i2rs mailing = >> list<br><a = >> href=3D"mailto:i2rs@ietf.org">i2rs@ietf.org</a><br> >> https://www.ietf.org/ma= >> ilman/listinfo/i2rs <https://www.ietf.org/ma=ilman/listinfo/i2rs><br></blockquote></div><br><div >> = >> apple-content-edited=3D"true"> >> <div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: = >> auto; text-align: start; text-indent: 0px; text-transform: none; = >> white-space: normal; widows: auto; word-spacing: 0px; = >> -webkit-text-stroke-width: 0px; word-wrap: break-word; = >> -webkit-nbsp-mode: space; -webkit-line-break: = >> after-white-space;">--<br>"Esta vez no fallaremos, Doctor = >> Infierno"<br><br>Dr Diego R. Lopez<br>Telefonica I+D<br><a = >> href=3D"http://people.tid.es/diego.lopez/"> >> http://people.tid.es/diego.lope= >> z/ <http://people.tid.es/diego.lope=z/></a><br><br>e-mail: >> diego.r.lopez@telefonica.com<br>Tel: = >> +34 913 129 041<br>Mobile: +34 682 051 = >> 091<br>----------------------------------</div> >> >> </div> >> <br></div></body></html>= >> >> --Apple-Mail=_B6401857-FE32-45EF-A393-65E1C90F6FC1-- >> >> ________________________________ >> >> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, >> puede contener información privilegiada o confidencial y es para uso >> exclusivo de la persona o entidad de destino. Si no es usted. el >> destinatario indicado, queda notificado de que la lectura, utilización, >> divulgación y/o copia sin autorización puede estar prohibida en virtud de >> la legislación vigente. Si ha recibido este mensaje por error, le rogamos >> que nos lo comunique inmediatamente por esta misma vía y proceda a su >> destrucción. >> >> The information contained in this transmission is privileged and >> confidential information intended only for the use of the individual or >> entity named above. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution or >> copying of this communication is strictly prohibited. If you have received >> this transmission in error, do not read it. Please immediately reply to the >> sender that you have received this communication in error and then delete >> it. >> >> Esta mensagem e seus anexos se dirigem exclusivamente ao seu >> destinatário, pode conter informação privilegiada ou confidencial e é para >> uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o >> destinatário indicado, fica notificado de que a leitura, utilização, >> divulgação e/ou cópia sem autorização pode estar proibida em virtude da >> legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos >> o comunique imediatamente por esta mesma via e proceda a sua destruição >> > > > -- > "Esta vez no fallaremos, Doctor Infierno" > > Dr Diego R. Lopez > Telefonica I+D > http://people.tid.es/diego.lopez/ > > e-mail: diego.r.lopez@telefonica.com > Tel: +34 913 129 041 > Mobile: +34 682 051 091 > ---------------------------------- > > > ------------------------------ > > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, > puede contener información privilegiada o confidencial y es para uso > exclusivo de la persona o entidad de destino. Si no es usted. el > destinatario indicado, queda notificado de que la lectura, utilización, > divulgación y/o copia sin autorización puede estar prohibida en virtud de > la legislación vigente. Si ha recibido este mensaje por error, le rogamos > que nos lo comunique inmediatamente por esta misma vía y proceda a su > destrucción. > > The information contained in this transmission is privileged and > confidential information intended only for the use of the individual or > entity named above. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this transmission in error, do not read it. Please immediately reply to the > sender that you have received this communication in error and then delete > it. > > Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, > pode conter informação privilegiada ou confidencial e é para uso exclusivo > da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário > indicado, fica notificado de que a leitura, utilização, divulgação e/ou > cópia sem autorização pode estar proibida em virtude da legislação vigente. > Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique > imediatamente por esta mesma via e proceda a sua destruição >
- [i2rs] quick comment on draft-hares-i2rs-auth-tra… Alia Atlas
- Re: [i2rs] quick comment on draft-hares-i2rs-auth… DIEGO LOPEZ GARCIA
- Re: [i2rs] quick comment on draft-hares-i2rs-auth… Alia Atlas
- Re: [i2rs] quick comment on draft-hares-i2rs-auth… DIEGO LOPEZ GARCIA
- Re: [i2rs] quick comment on draft-hares-i2rs-auth… Alia Atlas
- Re: [i2rs] quick comment on draft-hares-i2rs-auth… Joel M. Halpern