IETF Logo Mail Archive

Re: New naming draft submitted

Bill Sommerfeld <sommerfeld@sun.com> Thu, 10 March 2005 03:38 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA25279; Wed, 9 Mar 2005 22:38:26 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9EY1-0002kS-Qh; Wed, 09 Mar 2005 22:41:18 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9EUt-0002YZ-G3; Wed, 09 Mar 2005 22:38:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9EUs-0002YU-LH for kitten@megatron.ietf.org; Wed, 09 Mar 2005 22:38:02 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA25241 for <kitten@ietf.org>; Wed, 9 Mar 2005 22:38:00 -0500 (EST)
Received: from brmea-mail-4.sun.com ([192.18.98.36]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9EXa-0002ja-IZ for kitten@ietf.org; Wed, 09 Mar 2005 22:40:51 -0500
Received: from eastmail1bur.East.Sun.COM ([129.148.9.49]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id j2A3bxX8003467; Wed, 9 Mar 2005 20:37:59 -0700 (MST)
Received: from 129.148.19.3 (punchin-sommerfeld.East.Sun.COM [129.148.19.3]) by eastmail1bur.East.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id j2A3bwQp020682; Wed, 9 Mar 2005 22:37:58 -0500 (EST)
From: Bill Sommerfeld <sommerfeld@sun.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <tsl650mucvj.fsf@cz.mit.edu>
References: <tsl650mucvj.fsf@cz.mit.edu>
Content-Type: text/plain
Message-Id: <1110425871.9167.2.camel@unknown.hamachi.org>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6.325
Date: Wed, 09 Mar 2005 21:37:53 -0600
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Content-Transfer-Encoding: 7bit
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: New naming draft submitted
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@ietf.org
Errors-To: kitten-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Content-Transfer-Encoding: 7bit

On Sun, 2005-02-20 at 15:42, Sam Hartman wrote:
> I've submitted draft-ietf-kitten-gss-naming-01.txt.  I think this one
> is readyish for last-call, but would like to ask Nico and Martin to
> review it and tell me what's broken and then consider the next
> revision for a real last call. 

Some text I wrote for a (now expired, hopefully soon to be resurrected)
draft on IPsec API requirements took a slightly different approach
at the question of naming.

Here's an excerpt:

8. WHO

   This is perhaps the most tricky part of the problem.  Existing IPsec
   key management protocols provide a wide variety of authentication
   methods -- preshared secrets, public key, Kerberos, X.509
   certificates, etc.,

   There are several potential uses for names provided by IPsec:

8.1 OPAQUE IDENTITY

   It should be possible to determine that two IPsec-protected
   communications conducted within a short to medium time frame were
   with the same authenticated peer; it should be possible to use a
   received identity to initiate a communication back to that identity.

   Example cases: connectionless replies; linking ftp control and data
   connections.

   The application need only be able to determine if two identities are
   equal.

8.2 AUDITING

   It should be possible for an application to construct a log entry
   naming the peer.

8.3 ACCESS CONTROL

   While policy rules may allow traffic to be blocked entirely, it's
   often necessary for a program to provide services to mutually
   suspicious clients.  It should be possible for a service to make
   appropriate access control decisions based on the identity of the
   peer; in addition, the peer's certificate may contain interesting
   SubjectAltName or other attributes which may have relevance for the
   application; it may also be possible for the system to derive other
   attributes from the peer's identity.

8.4 ATTRIBUTES/CREDENTIALS

   [Mission Creep Alert] In many cases, an application is not so much
   interested in the peer's name, but rather in some other attribute of
   the peer.  Exactly where and how to map from long-term keys to these
   attributes needs to be nailed down; it may well be that this is best
   left as a local issue.

   Some of this is probably out of scope for the working group; however,
   we should not preclude others from building on this.



_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email