IETF Logo Mail Archive

Re: [kitten] PKCROSS and philosophical tangents...

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Thu, 30 January 2014 05:30 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65221A0356 for <kitten@ietfa.amsl.com>; Wed, 29 Jan 2014 21:30:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ieSu-334mZrn for <kitten@ietfa.amsl.com>; Wed, 29 Jan 2014 21:30:32 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe001.messaging.microsoft.com [216.32.181.181]) by ietfa.amsl.com (Postfix) with ESMTP id 473211A0194 for <kitten@ietf.org>; Wed, 29 Jan 2014 21:30:31 -0800 (PST)
Received: from mail49-ch1-R.bigfish.com (10.43.68.253) by CH1EHSOBE013.bigfish.com (10.43.70.63) with Microsoft SMTP Server id 14.1.225.22; Thu, 30 Jan 2014 05:30:27 +0000
Received: from mail49-ch1 (localhost [127.0.0.1]) by mail49-ch1-R.bigfish.com (Postfix) with ESMTP id 4D81D40218; Thu, 30 Jan 2014 05:30:27 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.14; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 2
X-BigFish: VPS2(zz542I1432Idb82hdc4mzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzz1de098h17326ah8275bh1de097h186068h5eeeKz2fh109h2a8h839h8e3h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h1155h)
Received-SPF: pass (mail49-ch1: domain of fs.fed.us designates 199.135.140.14 as permitted sender) client-ip=199.135.140.14; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail49-ch1 (localhost.localdomain [127.0.0.1]) by mail49-ch1 (MessageSwitch) id 139105982691393_7323; Thu, 30 Jan 2014 05:30:26 +0000 (UTC)
Received: from CH1EHSMHS038.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.240]) by mail49-ch1.bigfish.com (Postfix) with ESMTP id 8434B2004E; Thu, 30 Jan 2014 05:30:05 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.14) by CH1EHSMHS038.bigfish.com (10.43.69.247) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 30 Jan 2014 05:30:02 +0000
Received: from 001FSN2MMR1-015.001f.mgd2.msft.net (199.135.140.70) by 001FSN2MMR1-004.001f.mgd2.msft.net (199.135.140.14) with Microsoft SMTP Server (TLS) id 14.3.174.2; Thu, 30 Jan 2014 05:30:01 +0000
Received: from 001FSN2MPN1-046.001f.mgd2.msft.net ([169.254.6.84]) by 001FSN2MMR1-015.001f.mgd2.msft.net ([199.135.140.70]) with mapi id 14.03.0174.002; Thu, 30 Jan 2014 05:30:01 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [kitten] PKCROSS and philosophical tangents...
Thread-Index: Ac8dF9EVVIDV+Fq6S8CZNUDcti9KcAANe5wAAAZh4HA=
Date: Thu, 30 Jan 2014 05:30:00 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E683D80@001FSN2MPN1-046.001f.mgd2.msft.net>
References: <82E7C9A01FD0764CACDD35D10F5DFB6E683B4E@001FSN2MPN1-046.001f.mgd2.msft.net> <20140129235636.GB6916@localhost>
In-Reply-To: <20140129235636.GB6916@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.26.120]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] PKCROSS and philosophical tangents...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2014 05:30:36 -0000

New comment
---
PKCROSS seems to me to be about providing agility while preserving accurate identification. It seems that a section on distributed CA schemes may be warranted, if only to put the full PKI scheme in context. OTOH: Is it worthwhile to allow implementers to provide alternative methods of evaluating trust in certificates? Omar, 2009 gives an overview that I found helpful. I put some references below which may be useful for the draft.
---

Response
---
This is another long post, but it can be summed up as "agile is good", "the whole world is not Kerberos", "let users induct their pals into the Kerberos universe" and "share the load".  The various axioms and corollarys below are the main points I'd want to see given technical expression.

> -----Original Message-----
> > Tangent #1: What is "authentication"?
>
> That's a long topic.  For the sake of brevity, and to answer your more
> concrete questions/proposals, I'll not go down this tangent :)

Sorry for the lengthy post. I need to hammer out a solid conceptual framework before working out technical issues (which then need to tie back into the conceptual framework pretty directly).

> > PKCROSS introduces a paradigm where entire foreign domains are
> > authenticated by a certificate authority, to varying degrees of rigor.
>
> A "varying degree of rigor" (I like the phrase) is exactly it.

:)

> Grow your world of actual and potential peers large enough and any
> assumption that "can authenticate" == "someone I can trust" evaporates.

Ahh, axiom #1: Accurate identification does not equal trustworthiness (e.g., I've known him all his life; he's still a jerk)


> This smells to me more like authorization than authentication, but it can be
> seen either way, and it really depends on what operational details you'd like
> to have involved.  If "sponsorship" means that the sponsor has to provide a
> KDC-/CA-/IdP-like infrastructure for sponsees, then it's really authentication,
> but also a pain.  If what you have in mind is more like writing down
> somewhere that a sponsee [whose identity must be possible to establish in
> roughly the same way every time, perhaps every time after the first] can do
> this or that, then it's more like authorization, and much easier to manage.

My conceptual model is an agile, Kerberized, collaborative environment. I expect that some partners may not have Kerberos identities in any realm. (Perhaps they are a contractor working out of their home.) A conceptual mechanism is needed to induct these poor wayward souls into the realm of "The Identified" so that everyone can play in the same sandbox.

Those who work for big organizations with Kerberos infrastructure have been "sponsored" by the organization. This relationship is made explicit by the fact that their credentials are principals in the mother organization's realm.

When credentialed individuals sponsor a wayward, non-Kerberized soul, I think this also needs to be explicit....and of course distinct from the "organizationally sponsored users". And since the topic is cross-domain trusts, the KDCs need to be able to communicate this distinction to each other. It can be simple, like creating principles in a subdomain with a standard name (contractor_c@WAYWARD.EXAMPLE.COM) Or perhaps using the sponsor's complete principal ID as the instance (contractor_c/me@EXAMPLE.COM @ EXAMPLE.COM) Or a combination of both. Or something else.

Axiom #2: Can't be authorized until you're authenticated.
Corrolary: Authentication involves identifying both you and your sponsor...


> You may not care who a peer's IdP/CA/KDC is, as long as it stays the same
> and the trust path for authenticating the IdP/CA/KDC stays the same.  If you
> can see to this then it's easier to view this as authorization.

I'll do you one better. I don't care who a peer's IdP/CA/KDC is ever. I also don't care if they don't have one at all. ;) If I tell a cooperator to connect to my system and they can't because a trust path isn't configured right...well, I want a way to assert to the system that the credentials presented are indeed valid even if they're self-signed (for a small-potatoes KDC)...or that new Kerberos credentials should be allocated with me as the sponsor (for someone who doesn't want to stand up their own KDC). And then I expect the system to get out of the way. :) It's trust path is me.

Axiom #3: Users will form collaborations without regard to the compatibility of the partner organizations' infrastructure.
Corollary: It should be possible to distribute the extra administrative overhead of technologically ill-conceived collaborations.
Corollary: Friends don't make friends learn Kerberos. :)

> > 4] human trust anchor aggregation: if several sponsors affirm several
> > identities from the same foreign realm, confidence in that realm's
> > identity should be high;
>
> You still get this if you treat this as delegated authorization, again, provided
> that you have a way to authenticate the "several identities'"
> [presumably] common credential issuer reliably.

I brought this up because my spidey senses are tingling. Too early to say for sure, but ... well, currently, KDCs act as central points of control over some sphere of influence. It seems that if the peons within that sphere of influence start making decisions about who they choose to trust, KDCs could also act as a concentrator for trust related information...In my world we call such things "Decision Support Systems" and we pay big money to develop them. There is probably value here...somehow...

Bryce



Some references :
Naranjo, J. A. M., F. Cores, L. G. Casado, and F. Guirado. "Fully Distributed Authentication with Locality Exploitation for the CoDiP2P Peer-to-Peer Computing Platform." The Journal of Supercomputing 65, no. 3 (December 5, 2012): 1037-1049. doi:10.1007/s11227-012-0842-2. http://www.cs.georgetown.edu/~clay/classes/spring2013/papers/Fully_distributed_authentication_with_locality_exploitation_for_the_CoDiP2P_peer-to-peer_computing_platform.pdf

Omar, Mawloud, Yacine Challal, and Abdelmadjid Bouabdallah. "Reliable and Fully Distributed Trust Model for Mobile Ad Hoc Networks." Computers & Security 28, no. 3-4 (May 2009): 199-214. doi:10.1016/j.cose.2008.11.009.
http://hal.archives-ouvertes.fr/docs/00/38/90/20/PDF/net-trust-19-02-08.pdf






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status