Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

"Joel M. Halpern" <> Thu, 05 October 2017 04:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 447291321DE; Wed, 4 Oct 2017 21:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eK78wVRIlVG8; Wed, 4 Oct 2017 21:40:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A5D11321A0; Wed, 4 Oct 2017 21:40:41 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D97446DC89; Wed, 4 Oct 2017 21:40:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=1.tigertech; t=1507178441; bh=mEKNVSyD99hdO8hzz/+1RSMZSaTDG7k8csLGW5FPwEg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TnvT1e/3foGjKvQmIDgrjAnYUKs7YXv4/orWkyAsgk+ENyXkXj/NFKl6UJ+py2tbG k0swm7AmRZgZ2JHKcXEKhw26ogyN9o2IbohZa45AJ+FxjZFp2jiReLPqFOpO4+7Vbh Qw/2EYUE1UYNCfAXfJhsuRliQHXvBaOq9X0DYuso=
X-Virus-Scanned: Debian amavisd-new at
Received: from Joels-MacBook-Pro.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B7648467F1B; Wed, 4 Oct 2017 21:40:39 -0700 (PDT)
To: Uma Chunduri <>, Benjamin Kaduk <>, Jari Arkko <>
Cc: "" <>, "" <>
References: <> <> <> <> <> <> <> <> <>
From: "Joel M. Halpern" <>
Message-ID: <>
Date: Thu, 5 Oct 2017 00:40:38 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Oct 2017 04:40:43 -0000

You seem to be making some unstated assumptions.

If by "Provider" in "Provider based AUTH" you mean the last hop 
communications service provider, then I would fundamentally disagree 
with you.  The communication service provider has no role in creating or 
authenticating identifiers.  Their job is to provide locators.
Now, those service providers may have an authentication relationship, 
based on some identifiers, in order to provide communications services. 
But the identifiers for that are completely uncoupled from and unrealted 
to the identifiers need for an ID / Locator system.

Yes, if there is a provider of identifiers (not all systems even require 
that), then the user of the identifier needs to have an appropriate 
relationship with the provider of the identifier.  And that needs to be 
related to the authentication needed to update the mapping system.

But neither of those require anything other than the identifier and 
suitable keying.  I gave several examples of this in earlier emails to 
the list.


On 10/4/17 11:24 PM, Uma Chunduri wrote:
> Hi Joel,
> 	>Yes, authentication is necessary to modify the entries.  (Whether one should be authenticated before reading varies from case to case.)
> 	>But authentication does not require a separate identity.  Exactly what it requires depends upon how the system is constructed.
> IMHO, provider based AUTH is needed in lot of cases if we really want to build a solid system which enables mobility.
> I responded to Jari, who is a pioneer and who helped spec out one of the best AUTH methods  & systems successfully deployed ever with his
> (but he did it for another most successful SDO, with all constructs like Pseudonyms and fast-re-auth-ids) didn't see the need for the same here.
> May be as you indicated there is something missing in the charter that didn't reflect the need.
> --
> Uma C.