Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
Georgios Karagiannis <georgios.karagiannis@huawei.com> Thu, 12 October 2017 13:22 UTC
Return-Path: <georgios.karagiannis@huawei.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAC8134211; Thu, 12 Oct 2017 06:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quWWkOPd2vam; Thu, 12 Oct 2017 06:22:49 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FEEA120720; Thu, 12 Oct 2017 06:22:48 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml707-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DQM64246; Thu, 12 Oct 2017 13:22:34 +0000 (GMT)
Received: from LHREML502-MBS.china.huawei.com ([10.201.109.53]) by lhreml707-cah.china.huawei.com ([10.201.108.48]) with mapi id 14.03.0301.000; Thu, 12 Oct 2017 14:22:24 +0100
From: Georgios Karagiannis <georgios.karagiannis@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "ideas@ietf.org" <ideas@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Uma Chunduri <uma.chunduri@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, Benjamin Kaduk <kaduk@mit.edu>, Jari Arkko <jari.arkko@piuha.net>
Thread-Topic: [Ideas] WG Review: IDentity Enabled Networks (ideas)
Thread-Index: AQHTPUTr8mvVhpJ8Xk2HRextCZOYFaLUJ9qAgAAzkoCAAA3FAIAAAIUAgAAA8wCAABzkAIAAFVQAgADQAACAAQb2wIAADNoAgAm5MzA=
Date: Thu, 12 Oct 2017 13:22:24 +0000
Message-ID: <C5034E44CD620A44971BAAEB372655DC2DD36230@lhreml502-mbs>
References: <150670160872.14128.2758037992338326085.idtracker@ietfa.amsl.com> <778d5504-ba4f-d418-7b20-356353bb0fb2@cs.tcd.ie> <D7D4AEE9-3BD0-4C8F-BCC6-7185AF7D37BA@netapp.com> <9C663B18-21CC-4A16-8B26-7994B12B1DC5@piuha.net> <25B4902B1192E84696414485F572685401A872DE@SJCEML701-CHM.china.huawei.com> <33f100a0-5114-269c-adb4-5db6edb1fd4d@joelhalpern.com> <20171005013730.GC96685@kduck.kaduk.org> <55bf5ae5-848a-ba81-f76b-14aaefdad2bf@joelhalpern.com> <25B4902B1192E84696414485F572685401A873A3@SJCEML701-CHM.china.huawei.com> <d92f5bd7-8081-37bf-cefe-d19ba4a203e2@joelhalpern.com> <25B4902B1192E84696414485F572685401A8750D@SJCEML701-CHM.china.huawei.com> <C5034E44CD620A44971BAAEB372655DC2DD336ED@lhreml502-mbs> <b801b130-b054-6874-1d04-8cd7b8200419@cs.tcd.ie>
In-Reply-To: <b801b130-b054-6874-1d04-8cd7b8200419@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.221.62.107]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0207.59DF6C9F.0072, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ffc79e8c6a44093f62df7a0f42f4cdce
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/o3aT2ahZYzrJQuTl1WOTZHKJ_r0>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 13:22:51 -0000
Hi Stephen, Thanks for your comments and insights on this topic, since you were an IETF Security AD for several years; In the previous email I wanted to mention a possible IETF based solution (or an enhancement of this) that can be used to support the dynamic management/refreshing of Identities, i.e., using the Federation concept proposed in RFC7831, https://www.rfc-editor.org/rfc/rfc7831.txt An enhanced ABFAB solution might be used to support the lifecycle management of Identities. The Identity provider stores the Identities and the Relying Party can be a controller that controls when the Identities need to be refreshed; These entities and their relationships are illustrated graphically below (taken from RFC7831) ,----------\ ,---------\ | Identity | Federation | Relying | | Provider + <--------------------> + Party | `----------' '---------' < \ \ Authentication \ \ \ \ \ +---------+ \ | | v| Client | | | +---------+ Entities and Their Relationships Note that the above is for further study and has not been discussed with the IDEAS proponents; Best regards, Georgios -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Friday, October 06, 2017 11:32 AM To: Georgios Karagiannis; Uma Chunduri; Joel M. Halpern; Benjamin Kaduk; Jari Arkko Cc: ideas@ietf.org; ietf@ietf.org Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas) Hiya, On 06/10/17 08:49, Georgios Karagiannis wrote: > Hi all, > > Please note that I have looked into the output of the (concluded) IETF > ABFAB WG. In order to answer many questions/concerns that have been > raised during the previous IDEAS discussions, it might be useful to > consider the results of the IETF ABFAB WG. > https://datatracker.ietf.org/wg/abfab/documents/ > > We could incorporate their concepts about identity and how identity > can be established and leveraged in a distributed way able to satisfy > trust and privacy concerns. I have no clue how GSS-API is even relevant here. abfab was a fine thing for JISC and friends to do to as a way to try broaden the benefit they got from their existing federated authentication setup, in their case involving UK universities. It is not at all clear that that would be even relevant if one wanted to build the kind of all encompassing IdPs envisaged in the ideas charter/draft. The relationships that university account holders have with their own and other academic institutions and with applications running in such environments (that being the point of abfab) don't seem to me to generalise to lower layers in any useful manner. In any case, if this proposal is only now at the point where you're starting to ponder the basic architecture then I'd conclude it's nowhere near ready to charter. (As well as being a bad idea from the privacy POV;-) WGs for such decisions can be a good plan when there's a few known architectural choices on the table, and if different sets of folks need a venue to reach consensus on which road to take - suggesting abfab at this point sounds like floundering around looking for reasons to exist tbh. (Sorry to be blunt and it may not be that, but it appears to be that to me.) S. > > Best regards, Georgios > > > -----Original Message----- From: Ideas [mailto:ideas-bounces@ietf.org] > On Behalf Of Uma Chunduri Sent: > Thursday, October 05, 2017 7:05 PM To: Joel M. Halpern; Benjamin > Kaduk; Jari Arkko Cc: ideas@ietf.org; ietf@ietf.org Subject: Re: > [Ideas] WG Review: IDentity Enabled Networks (ideas) > > Hi Joel, > > In-line [Uma]: > > > Best Regards, -- Uma C. > > -----Original Message----- From: Joel M. Halpern > [mailto:jmh@joelhalpern.com] Sent: Wednesday, October 04, 2017 9:41 PM > To: Uma Chunduri <uma.chunduri@huawei.com>; Benjamin Kaduk > <kaduk@mit.edu>; Jari Arkko <jari.arkko@piuha.net> Cc: > ideas@ietf.org; ietf@ietf.org Subject: Re: [Ideas] WG Review: > IDentity Enabled Networks (ideas) > > You seem to be making some unstated assumptions. > > If by "Provider" in "Provider based AUTH" you mean the last hop > communications service provider, then I would fundamentally disagree > with you. [Uma]: I meant IdP and it's an orthogonal discussion if both > roles played by same entity.. > > The communication service provider has no role in creating or > authenticating identifiers. Their job is to provide locators. [Uma]: > Absolutely. > > Now, those service providers may have an authentication relationship, > based on some identifiers, in order to provide communications > services. But the identifiers for that are completely uncoupled from > and unrealted to the identifiers need for an ID / Locator system. > > Yes, if there is a provider of identifiers (not all systems even > require that), > > [Uma]: Yes, may be not all systems require that, especially if this > is a local deployment. > > then the user of the identifier needs to have an appropriate > relationship with the provider of the identifier. And that needs to be > related to the authentication needed to update the mapping system. > [Uma]: Yes. > > > But neither of those require anything other than the identifier and > suitable keying. [Uma]: If it's a local system simple keying is enough > (in the expense of key management etc) as all devices may be managed > by the same org. > > _______________________________________________ Ideas mailing list > Ideas@ietf.org https://www.ietf.org/mailman/listinfo/ideas > >
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Tom Herbert
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … Dino Farinacci
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Templin, Fred L
- [Ideas] Fwd: Fwd: Re: WG Review: IDentity Enabled… Christian Huitema
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Templin, Fred L
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Tom Herbert
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Templin, Fred L
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Christian Huitema
- Re: [Ideas] WG Review: IDentity Enabled Networks … Christian Huitema
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Templin, Fred L
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Robert Moskowitz
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Uma Chunduri
- Re: [Ideas] Fwd: Fwd: Re: WG Review: IDentity Ena… Robert Moskowitz
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- [Ideas] WG Review: IDentity Enabled Networks (ide… The IESG
- Re: [Ideas] WG Review: IDentity Enabled Networks … Phillip Hallam-Baker
- Re: [Ideas] WG Review: IDentity Enabled Networks … Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … stephen.farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … John C Klensin
- Re: [Ideas] WG Review: IDentity Enabled Networks … Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … Alexander Clemm
- Re: [Ideas] WG Review: IDentity Enabled Networks … Eggert, Lars
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Dino Farinacci
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padmadevi Pillay Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Jari Arkko
- Re: [Ideas] WG Review: IDentity Enabled Networks … Joel M. Halpern
- Re: [Ideas] WG Review: IDentity Enabled Networks … Brian E Carpenter
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Joel M. Halpern
- Re: [Ideas] WG Review: IDentity Enabled Networks … Alexander Clemm
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … Dino Farinacci
- Re: [Ideas] WG Review: IDentity Enabled Networks … Yingzhen Qu
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Joel M. Halpern
- Re: [Ideas] WG Review: IDentity Enabled Networks … Benjamin Kaduk
- Re: [Ideas] WG Review: IDentity Enabled Networks … Joel Halpern Direct
- Re: [Ideas] WG Review: IDentity Enabled Networks … Mike StJohns
- Re: [Ideas] WG Review: IDentity Enabled Networks … Phillip Hallam-Baker
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Joel M. Halpern
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] Fwd: Re: WG Review: IDentity Enabled … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Dino Farinacci
- Re: [Ideas] WG Review: IDentity Enabled Networks … Dino Farinacci
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Georgios Karagiannis
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … S Moonesamy
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … S Moonesamy
- Re: [Ideas] WG Review: IDentity Enabled Networks … Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Tom Herbert
- Re: [Ideas] WG Review: IDentity Enabled Networks … S Moonesamy
- Re: [Ideas] WG Review: IDentity Enabled Networks … Alexander Clemm
- Re: [Ideas] WG Review: IDentity Enabled Networks … Alvaro Retana
- Re: [Ideas] WG Review: IDentity Enabled Networks … Robert Moskowitz
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Randy Bush
- Re: [Ideas] WG Review: IDentity Enabled Networks … Eggert, Lars
- Re: [Ideas] WG Review: IDentity Enabled Networks … Stephen Farrell
- Re: [Ideas] WG Review: IDentity Enabled Networks … Uma Chunduri
- Re: [Ideas] WG Review: IDentity Enabled Networks … Randy Bush
- Re: [Ideas] WG Review: IDentity Enabled Networks … Jeff Tantsura
- Re: [Ideas] WG Review: IDentity Enabled Networks … Randy Bush
- Re: [Ideas] WG Review: IDentity Enabled Networks … Robert Moskowitz
- Re: [Ideas] WG Review: IDentity Enabled Networks … Robert Moskowitz
- Re: [Ideas] WG Review: IDentity Enabled Networks … Christian Huitema
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Padma Pillay-Esnault
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Alexander Clemm
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Christian Huitema
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Dino Farinacci
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Eric Rescorla
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Dino Farinacci
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Eric Rescorla
- Re: [Ideas] WG Review: IDentity Enabled Networks … Padma Pillay-Esnault
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Dino Farinacci
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Eric Rescorla
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Sam Sun
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Dino Farinacci
- Re: [Ideas] WG Review: IDentity Enabled Networks … Georgios Karagiannis
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Toerless Eckert
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Tom Herbert
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Toerless Eckert
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Tom Herbert
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… John C Klensin
- Re: [Ideas] [lisp] WG Review: IDentity Enabled Ne… Toerless Eckert