Request for comments from x500 experts
Allegre <allegre@issy.cnet.fr> Tue, 30 July 1996 08:52 UTC
Received: from ietf.org by ietf.org id aa28805; 30 Jul 96 4:52 EDT
Received: from cnri by ietf.org id aa28801; 30 Jul 96 4:52 EDT
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa03779; 30 Jul 96 4:52 EDT
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.08902-0@haig.cs.ucl.ac.uk>; Tue, 30 Jul 1996 09:29:12 +0100
Received: from xr3.atlas.fr by bells.cs.ucl.ac.uk with Internet SMTP id <g.04912-0@bells.cs.ucl.ac.uk>; Tue, 30 Jul 1996 09:28:49 +0100
X400-Received: by /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Tue, 30 Jul 1996 10:28:41 +0200
X400-Received: by mta xr3.atlas.fr in /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Tue, 30 Jul 1996 10:28:41 +0200
X400-Received: by /ADMD=ATLAS/C=FR/; Relayed; Tue, 30 Jul 1996 10:28:43 +0200
X400-Received: by /PRMD=cnet/ADMD=atlas/C=FR/; Relayed; Tue, 30 Jul 1996 10:25:48 +0200
Date: Tue, 30 Jul 1996 10:25:48 +0200
X400-Originator: allegre@issy.cnet.fr
X400-Recipients: non-disclosure:;
X400-MTS-Identifier: [/PRMD=cnet/ADMD=atlas/C=FR/; 838715313@x400.issy.cnet.fr]
X400-Content-Type: P2-1984 (2)
Content-Identifier: Request for comm
Alternate-Recipient: Allowed
Sender: ietf-archive-request@ietf.org
From: Allegre <allegre@issy.cnet.fr>
Message-ID: <9607300825.AA00222@detritus>
To: osi-ds@cs.ucl.ac.uk
Subject: Request for comments from x500 experts
Dear all, For Public Switching Telecommunication Networks, We are studying an architecture to offer several services to customers in a multi providers environment. We would have liked to use an implementation conformed to ITU-T Recommendation X500 series to ensure and support the security of the services but it seems that we have to define our own X500 extensions. Before, to select this kind of alternative, we would like advice from X500 experts in order to know if we don't miss a capability of X500 series to achieve our requirements. If none capability exists or if some other X500 users have met similar requirements perhaps it could be fine to gather the solutions in order to contribute to the standard. Sincerely Francois ALLEGRE PS Following the description of the service and its constraints and the different X500 operations that we examined _______________________________________________________________ Description of a part of service : A provider of service H (e.g. a bank) has customer C who roams in other domains and use services from providers Vi (e.g. telecommunication). Each providers Vi want to ensure that C is the one he claims. Architecture constraints: The link between C and V doesn't support X500. Thus the DUA run in a computer of V. Computers of V can dialog with computers of H using X500. Functionality constraints : The authentication is based on a (challenge, response) scheme. The algorithm used to compute response from challenge could be proprietary. Then, since V could provision its service to several H, V doesn't get the code to execute the challenge/response algorithms Authentication description : The security experts propose a choice between two procedures - precomputation of challenge/response by H, distribution to V (as in GSM), sending of the challenge to C and verification of his response - selection of challenge by V, , sending of the challenge to C and verification of his response, sending of the user response and the challenge to H for verification (H ought to control any replay of challenge) Examination of the implementation of procedures on X500 Choice 1 It seems that this procedure cannot be implemented without corrupting the X500 spirit - triggering an internal computation by a read of a specific attribute of the user entry. The read of this zone of the database is detected by a specific implementation mechanism which changes its content after the reading or - use of a read with a "PROTECTED" read result where the "encAlgorithm" of the "genEncryptedTransform" (X501 amendment 5) are not ciphering algorithm but an algorithm which selects a random, makes a computation and fills the "encData" with challenge/response on a "ber" format Choice 2 The challenge and the customer answering could be put in a "ExternalCredential". The verification would be done by a "bind" with "externalProcedure" credentials if the DUA could select the "right" DSA (i.e. the DSA where the user entry is stored) in H. It seems that it doesn't work if the selected DSA has to chain the verification to the DSA including the user Entry. _______________________________________________________________ Thanks by advance for your comments and suggestions
- Request for comments from x500 experts Allegre
- Re: Request for comments from x500 experts Andrew.Findlay