Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

Georgios Karagiannis <georgios.karagiannis@huawei.com> Thu, 12 October 2017 13:22 UTC

Return-Path: <georgios.karagiannis@huawei.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAC8134211; Thu, 12 Oct 2017 06:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quWWkOPd2vam; Thu, 12 Oct 2017 06:22:49 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FEEA120720; Thu, 12 Oct 2017 06:22:48 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml707-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DQM64246; Thu, 12 Oct 2017 13:22:34 +0000 (GMT)
Received: from LHREML502-MBS.china.huawei.com ([10.201.109.53]) by lhreml707-cah.china.huawei.com ([10.201.108.48]) with mapi id 14.03.0301.000; Thu, 12 Oct 2017 14:22:24 +0100
From: Georgios Karagiannis <georgios.karagiannis@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "ideas@ietf.org" <ideas@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Uma Chunduri <uma.chunduri@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, Benjamin Kaduk <kaduk@mit.edu>, Jari Arkko <jari.arkko@piuha.net>
Thread-Topic: [Ideas] WG Review: IDentity Enabled Networks (ideas)
Thread-Index: AQHTPUTr8mvVhpJ8Xk2HRextCZOYFaLUJ9qAgAAzkoCAAA3FAIAAAIUAgAAA8wCAABzkAIAAFVQAgADQAACAAQb2wIAADNoAgAm5MzA=
Date: Thu, 12 Oct 2017 13:22:24 +0000
Message-ID: <C5034E44CD620A44971BAAEB372655DC2DD36230@lhreml502-mbs>
References: <150670160872.14128.2758037992338326085.idtracker@ietfa.amsl.com> <778d5504-ba4f-d418-7b20-356353bb0fb2@cs.tcd.ie> <D7D4AEE9-3BD0-4C8F-BCC6-7185AF7D37BA@netapp.com> <9C663B18-21CC-4A16-8B26-7994B12B1DC5@piuha.net> <25B4902B1192E84696414485F572685401A872DE@SJCEML701-CHM.china.huawei.com> <33f100a0-5114-269c-adb4-5db6edb1fd4d@joelhalpern.com> <20171005013730.GC96685@kduck.kaduk.org> <55bf5ae5-848a-ba81-f76b-14aaefdad2bf@joelhalpern.com> <25B4902B1192E84696414485F572685401A873A3@SJCEML701-CHM.china.huawei.com> <d92f5bd7-8081-37bf-cefe-d19ba4a203e2@joelhalpern.com> <25B4902B1192E84696414485F572685401A8750D@SJCEML701-CHM.china.huawei.com> <C5034E44CD620A44971BAAEB372655DC2DD336ED@lhreml502-mbs> <b801b130-b054-6874-1d04-8cd7b8200419@cs.tcd.ie>
In-Reply-To: <b801b130-b054-6874-1d04-8cd7b8200419@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.221.62.107]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0207.59DF6C9F.0072, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ffc79e8c6a44093f62df7a0f42f4cdce
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/o3aT2ahZYzrJQuTl1WOTZHKJ_r0>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 13:22:51 -0000

Hi Stephen,

Thanks for your comments and insights on this topic, since you were an IETF Security AD for several years;

In the previous email I wanted to mention a possible IETF based solution (or an enhancement of this) that can be used to support the dynamic management/refreshing of Identities, i.e., using the Federation concept proposed in RFC7831, https://www.rfc-editor.org/rfc/rfc7831.txt


An enhanced ABFAB solution might be used to support the lifecycle management of Identities. The Identity provider stores the Identities and the Relying Party can be a controller that controls when the Identities need to be refreshed;

These entities and their relationships are illustrated graphically below (taken from RFC7831)


             ,----------\                        ,---------\
             | Identity |       Federation       | Relying |
             | Provider + <--------------------> + Party   |
             `----------'                        '---------'
                    <
                     \
                      \ Authentication
                       \
                        \
                         \
                          \
                           \  +---------+
                            \ |         |  
                             v| Client  |
                              |         |  
                              +---------+ 

                Entities and Their Relationships

Note that the above is for further study and has not been discussed with the IDEAS proponents;


Best regards,
Georgios


-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Friday, October 06, 2017 11:32 AM
To: Georgios Karagiannis; Uma Chunduri; Joel M. Halpern; Benjamin Kaduk; Jari Arkko
Cc: ideas@ietf.org; ietf@ietf.org
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)


Hiya,

On 06/10/17 08:49, Georgios Karagiannis wrote:
> Hi all,
> 
> Please note that I have looked into the output of the (concluded) IETF 
> ABFAB WG. In order to answer many questions/concerns that have been 
> raised during the previous IDEAS discussions, it might be useful to 
> consider the results of the IETF ABFAB WG.
> https://datatracker.ietf.org/wg/abfab/documents/
> 
> We could incorporate their concepts about identity and how identity 
> can be established and leveraged in a distributed way able to satisfy 
> trust and privacy concerns.

I have no clue how GSS-API is even relevant here. abfab was a fine thing for JISC and friends to do to as a way to try broaden the benefit they got from their existing federated authentication setup, in their case involving UK universities. It is not at all clear that that would be even relevant if one wanted to build the kind of all encompassing IdPs envisaged in the ideas charter/draft.
The relationships that university account holders have with their own and other academic institutions and with applications running in such environments (that being the point of abfab) don't seem to me to generalise to lower layers in any useful manner.

In any case, if this proposal is only now at the point where you're starting to ponder the basic architecture then I'd conclude it's nowhere near ready to charter.
(As well as being a bad idea from the privacy POV;-)

WGs for such decisions can be a good plan when there's a few known architectural choices on the table, and if different sets of folks need a venue to reach consensus on which road to take - suggesting abfab at this point sounds like floundering around looking for reasons to exist tbh. (Sorry to be blunt and it may not be that, but it appears to be that to me.)

S.


> 
> Best regards, Georgios
> 
> 
> -----Original Message----- From: Ideas [mailto:ideas-bounces@ietf.org] 
> On Behalf Of Uma Chunduri Sent:
> Thursday, October 05, 2017 7:05 PM To: Joel M. Halpern; Benjamin 
> Kaduk; Jari Arkko Cc: ideas@ietf.org; ietf@ietf.org Subject: Re:
> [Ideas] WG Review: IDentity Enabled Networks (ideas)
> 
> Hi Joel,
> 
> In-line [Uma]:
> 
> 
> Best Regards, -- Uma C.
> 
> -----Original Message----- From: Joel M. Halpern 
> [mailto:jmh@joelhalpern.com] Sent: Wednesday, October 04, 2017 9:41 PM 
> To: Uma Chunduri <uma.chunduri@huawei.com>; Benjamin Kaduk 
> <kaduk@mit.edu>; Jari Arkko <jari.arkko@piuha.net> Cc:
> ideas@ietf.org; ietf@ietf.org Subject: Re: [Ideas] WG Review:
> IDentity Enabled Networks (ideas)
> 
> You seem to be making some unstated assumptions.
> 
> If by "Provider" in "Provider based AUTH" you mean the last hop 
> communications service provider, then I would fundamentally disagree 
> with you. [Uma]: I meant IdP and it's an orthogonal discussion if both 
> roles played by same entity..
> 
> The communication service provider has no role in creating or 
> authenticating identifiers.  Their job is to provide locators. [Uma]:
> Absolutely.
> 
> Now, those service providers may have an authentication relationship, 
> based on some identifiers, in order to provide communications 
> services. But the identifiers for that are completely uncoupled from 
> and unrealted to the identifiers need for an ID / Locator system.
> 
> Yes, if there is a provider of identifiers (not all systems even 
> require that),
> 
> [Uma]:  Yes, may be not all systems require that, especially if this 
> is a local deployment.
> 
> then the user of the identifier needs to have an appropriate 
> relationship with the provider of the identifier. And that needs to be 
> related to the authentication needed to update the mapping system. 
> [Uma]: Yes.
> 
> 
> But neither of those require anything other than the identifier and 
> suitable keying. [Uma]: If it's a local system simple keying is enough 
> (in the expense of key management etc) as all devices may be managed 
> by the same org.
> 
> _______________________________________________ Ideas mailing list 
> Ideas@ietf.org https://www.ietf.org/mailman/listinfo/ideas
> 
>