Re: New naming draft submitted
Bill Sommerfeld <sommerfeld@sun.com> Thu, 10 March 2005 03:38 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA25279; Wed, 9 Mar 2005 22:38:26 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9EY1-0002kS-Qh; Wed, 09 Mar 2005 22:41:18 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9EUt-0002YZ-G3; Wed, 09 Mar 2005 22:38:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9EUs-0002YU-LH for kitten@megatron.ietf.org; Wed, 09 Mar 2005 22:38:02 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA25241 for <kitten@ietf.org>; Wed, 9 Mar 2005 22:38:00 -0500 (EST)
Received: from brmea-mail-4.sun.com ([192.18.98.36]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9EXa-0002ja-IZ for kitten@ietf.org; Wed, 09 Mar 2005 22:40:51 -0500
Received: from eastmail1bur.East.Sun.COM ([129.148.9.49]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id j2A3bxX8003467; Wed, 9 Mar 2005 20:37:59 -0700 (MST)
Received: from 129.148.19.3 (punchin-sommerfeld.East.Sun.COM [129.148.19.3]) by eastmail1bur.East.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id j2A3bwQp020682; Wed, 9 Mar 2005 22:37:58 -0500 (EST)
From: Bill Sommerfeld <sommerfeld@sun.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <tsl650mucvj.fsf@cz.mit.edu>
References: <tsl650mucvj.fsf@cz.mit.edu>
Content-Type: text/plain
Message-Id: <1110425871.9167.2.camel@unknown.hamachi.org>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6.325
Date: Wed, 09 Mar 2005 21:37:53 -0600
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Content-Transfer-Encoding: 7bit
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: New naming draft submitted
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@ietf.org
Errors-To: kitten-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Content-Transfer-Encoding: 7bit
On Sun, 2005-02-20 at 15:42, Sam Hartman wrote: > I've submitted draft-ietf-kitten-gss-naming-01.txt. I think this one > is readyish for last-call, but would like to ask Nico and Martin to > review it and tell me what's broken and then consider the next > revision for a real last call. Some text I wrote for a (now expired, hopefully soon to be resurrected) draft on IPsec API requirements took a slightly different approach at the question of naming. Here's an excerpt: 8. WHO This is perhaps the most tricky part of the problem. Existing IPsec key management protocols provide a wide variety of authentication methods -- preshared secrets, public key, Kerberos, X.509 certificates, etc., There are several potential uses for names provided by IPsec: 8.1 OPAQUE IDENTITY It should be possible to determine that two IPsec-protected communications conducted within a short to medium time frame were with the same authenticated peer; it should be possible to use a received identity to initiate a communication back to that identity. Example cases: connectionless replies; linking ftp control and data connections. The application need only be able to determine if two identities are equal. 8.2 AUDITING It should be possible for an application to construct a log entry naming the peer. 8.3 ACCESS CONTROL While policy rules may allow traffic to be blocked entirely, it's often necessary for a program to provide services to mutually suspicious clients. It should be possible for a service to make appropriate access control decisions based on the identity of the peer; in addition, the peer's certificate may contain interesting SubjectAltName or other attributes which may have relevance for the application; it may also be possible for the system to derive other attributes from the peer's identity. 8.4 ATTRIBUTES/CREDENTIALS [Mission Creep Alert] In many cases, an application is not so much interested in the peer's name, but rather in some other attribute of the peer. Exactly where and how to map from long-term keys to these attributes needs to be nailed down; it may well be that this is best left as a local issue. Some of this is probably out of scope for the working group; however, we should not preclude others from building on this. _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- New naming draft submitted Sam Hartman
- Re: New naming draft submitted Nicolas Williams
- Re: New naming draft submitted Bill Sommerfeld
- Re: New naming draft submitted Sam Hartman
- Re: New naming draft submitted Nicolas Williams