Re: Admission Control to the IETF 78 and IETF 79 Networks
Phillip Hallam-Baker <hallam@gmail.com> Sun, 11 July 2010 19:33 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020A23A6960 for <ietf@core3.amsl.com>; Sun, 11 Jul 2010 12:33:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.172
X-Spam-Level:
X-Spam-Status: No, score=0.172 tagged_above=-999 required=5 tests=[AWL=0.357, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9W5z6TF6-OP4 for <ietf@core3.amsl.com>; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 22F9E3A6A02 for <ietf@ietf.org>; Sun, 11 Jul 2010 12:32:49 -0700 (PDT)
Received: by iwn38 with SMTP id 38so4129627iwn.31 for <ietf@ietf.org>; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=Q4UnqouLFpOSUXBoe6Z4zTA2D6bzv8iC8648bzMPJpw=; b=aclTeoUsoL1DHTR0hbe3Riv4YJZOnBWLquBPAfhUvjdc5V3+OeDdbzOcm7Fs3KpcNf uqeJKSbZFQAyw9/xR34SVwT3ChUc5K1jtdWKjQVbjKgqaa6xWFSvnQKUDtS12Fr94Bg1 J9BNAqQTXCWO+q2GqwVzj3TkcHm4REURUUQsc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HUJKP0x4uDb/AztwWffcZfKEbqJ08JB1Ij6GuBbP0/zIaDF0nrPxsPbi06A5lncyw5 b+PtqufM4ozGFRuWu43lC986cyneyYLiw7iPo/WarxSeMZb7oP7rWPfJ7OtuolWfpOQY dQXWPmM1pWG2sEOyU9C8MHLAWTZg1qbS/jWzA=
MIME-Version: 1.0
Received: by 10.231.32.134 with SMTP id c6mr12845029ibd.156.1278876775182; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
Received: by 10.231.32.8 with HTTP; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
In-Reply-To: <20100706170631.GK25518@thunk.org>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org>
Date: Sun, 11 Jul 2010 15:32:55 -0400
Message-ID: <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Phillip Hallam-Baker <hallam@gmail.com>
To: tytso@mit.edu
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Mon, 12 Jul 2010 08:16:43 -0700
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 19:33:00 -0000
Of course the MAC address is trivially forged. That is the function of the certificate. MAC address XXXXX is not very interesting MAC address that party purporting to be CISCO says is XXXXX is quite a bit more interesting MAC address that party validated as CISCO as XXXXX is more interesting still. Now this is not getting us to a point where nobody can possibly break the system. But we have got to a point where the expected losses are a couple orders of magnitude lower than we can expect through current approaches. On the issues involved using client certificates for wireless access, I agree that the current practice falls far short of what is acceptable. That is the reason why I think it would be helpful for the IETF to spend some time eating the dog food (even if a different brand, we can do better). Now in theory, this is a problem that PKI should make easier to solve. But instead it seems that it gives people too much scope to create incompatible variations. The simplest, cleanest solution to this problem is to either have a device cert installed during manufacture or to employ my alternative scheme designed for low performance devices that does not require them to perform public key cryptography on the end point device (patent pending, all rights reserved). I do not see the value of client certificates for this type of network access. They work in the enterprise context as the selection of the certificate is unambiguous. But here we have a situation where we are not really looking to become part of the IETF network specifically, we just want a uniform identifier. I would prefer to use client certs for VPN layer security and a device cert for WiFi authentication. The user is not a device, conflating the two is bad. By a device cert, I mean an authentication credential that permits authentication of the device without disclosure of the authentication secret, is linked to a globally unique identifier and never expires. The simplest solution for this in my view would be for everyone to independently generate a self-signed cert and use the fingerprint to mediate access. They can then in theory use the same cert in any similar environment. One (yucky) way we could do this is to each enter the fingerprint of the cert(s) for each device when we register. A much better way to achieve the same effect would be to configure the network so that any computer that presents any certificate can access the network registration page (just like in a hotel network) but leaving that area is only possible after the user has authenticated and the fingerprint of the cert is entered into the auth database.
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Admission Control to the IETF 78 and IETF 79 Netw… IETF Chair
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Fred Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Olivier MJ Crepin-Leblond
- Re: Admission Control to the IETF 78 and IETF 79 … Dave CROCKER
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Marshall Eubanks
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Ted Hardie
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … David Conrad
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … John C Klensin
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Michael StJohns
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- free internet for ieters only Health
- Re: Admission Control to the IETF 78 and IETF 79 … Robert Moskowitz
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Bob Hinden
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew G. Malis
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … tytso
- Re: Admission Control to the IETF 78 and IETF 79 … Mark Atwood
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … joel jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … Donald Eastlake
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … IETF Chair
- RE: Admission Control to the IETF 78 and IETF 79 … Josh Howlett
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker