IETF Logo Mail Archive

Re: [P2PSIP] Identity certificate segregation [was Re: draft-ietf-p2psip-base publication to be requested]

Marc Petit-Huguenin <petithug@acm.org> Fri, 01 July 2011 22:44 UTC

Return-Path: <petithug@acm.org>
X-Original-To: p2psip@ietfa.amsl.com
Delivered-To: p2psip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF3111E81F9 for <p2psip@ietfa.amsl.com>; Fri, 1 Jul 2011 15:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.55
X-Spam-Level:
X-Spam-Status: No, score=-102.55 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7uhNpELmL3z for <p2psip@ietfa.amsl.com>; Fri, 1 Jul 2011 15:44:18 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 8DDE511E81F7 for <p2psip@ietf.org>; Fri, 1 Jul 2011 15:44:18 -0700 (PDT)
Received: from [IPv6:2001:55c:4c15:5f80:213:d4ff:fe04:3e08] (unknown [IPv6:2001:55c:4c15:5f80:213:d4ff:fe04:3e08]) by implementers.org (Postfix) with ESMTPS id 8475B2199E; Sat, 2 Jul 2011 00:43:35 +0200 (CEST)
Message-ID: <4E0E4DBE.5060302@acm.org>
Date: Fri, 01 Jul 2011 15:44:14 -0700
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110626 Iceowl/1.0b2 Icedove/3.1.11
MIME-Version: 1.0
To: Diego Suarez <loopp2psip@gmail.com>
References: <BANLkTikuy8qpZ42Zod1YK2+iYv1ib6=Yag@mail.gmail.com> <1307629878.30919.87.camel@toedo> <4DF0FD49.3020505@acm.org> <1307641649.5184.17.camel@santeles>
In-Reply-To: <1307641649.5184.17.camel@santeles>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: P2PSIP WG <p2psip@ietf.org>
Subject: Re: [P2PSIP] Identity certificate segregation [was Re: draft-ietf-p2psip-base publication to be requested]
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2011 22:44:19 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Diego,

How does this work with an access control policy like USER-NODE-MATCH, which
requires both a Node-ID and a username in the SignerIdentity?  If the Node-ID
and the username are in separate certificates, wouldn't that require to extend
the SignerIdentity structure to store multiple identities?

Thanks.

On 06/09/2011 10:47 AM, Diego Suarez wrote:
> I think it would require a (slight) modification in the base document.
> Current P2PSIP certification model is based on a single PKC (including
> both usernames and nodeIDs) that uniquely identifies a user and her
> devices. On the other hand, our model is base on a split certification.
> Devices and users are independent. Each device has its own PKC including
> a nodeID and a PK. Similarly, each user has her own PKC including her
> username and a PK. This approach do not prevent a centralized entity
> (such as an offline CA) to have information related to the devices each
> user (or company, etc.) has registered, but permits, among other
> improvements, a user to be connected to the system through devices she
> has not registered herself such as a phone issued by a telco or a fixed
> phone in a laboratory shared by all the members of a research group.
> 
> 
> On Thu, 2011-06-09 at 10:05 -0700, Marc Petit-Huguenin wrote:
> Does this model really required modifications in the base document, or can it be
> designed as an extension?  (Unfortunately the paper is not freely available, so
> it is difficult to know really what is needed for this).
> 
> On 06/09/2011 07:31 AM, Diego Suarez wrote:
>>>> Hi, 
>>>>
>>>> I had in mind writing a draft about this, but since I'm running out of
>>>> time, I would like to summarize a new certification model for P2PSIP I
>>>> have been working on, in case it is of interest for the group.
>>>> Further details can be found in paper:
>>>>
>>>> D. Touceda, J. Camara, L. Villalba, and J. Marquez, Advantages of
>>>> identity certificate segregation in P2PSIP systems, Communications,
>>>> IET, vol. 5, pp. 879889, Apr. 2011.
>>>>
>>>>
>>>> The idea is to split the certification of users and devices. Devices are
>>>> identified by PKCs including a nodeID and the PK of the device, while
>>>> users are identified by PKCs including a username and the PK of the
>>>> user. Similar models have been used before in other communications
>>>> systems, such as GSM where devices and users are separately represented
>>>> by the international mobile equipment identity (IMEI) stored in the
>>>> phones and the international mobile subscriber identity (IMSI) stored in
>>>> the user subscriber identity module (SIM), respectively.
>>>>
>>>> Motivations of this model are:
>>>>
>>>> - Users and devices are different entities performing different
>>>> roles within a P2PSIP system. Devices are nodes of the P2P
>>>> overlay network (represented by a nodeID) that offer services
>>>> (to route messages, to store data, . . .) to the system, while
>>>> users (represented by an username) utilize these services,
>>>> usually to establish media communications using SIP.
>>>>
>>>> - Support for mobility scenarios where a user may be logged at different
>>>> devices at the same time using the same PKC.
>>>>
>>>> - Support several users to be logged in the same device (like a fixed
>>>> phone) at the same time.
>>>>
>>>> - Support for user independent hard-coded devices.
>>>>
>>>> - Interoperability with SIP. SIP certificates are not valid in actual
>>>> P2PSIP since they don't include a nodeID.
>>>>
>>>> cheers
>>>>
>>>> Diego Suárez
>>>>
>>>>
>>>> On Wed, 2011-06-08 at 09:48 -0700, David A. Bryan wrote:
>>>>> Unless something major comes up, we plan to request the newest version
>>>>> of the base draft, draft-ietf-p2psip-base-15, be published. I'll put
>>>>> in the request in a week (June 16th or 17th). If there are any further
>>>>> comments from the last call a while ago (or further comments on the
>>>>> comments since then), please send them to the list ASAP.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> David (as chair)
>>>>> _______________________________________________
>>>>> P2PSIP mailing list
>>>>> P2PSIP@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/p2psip
>>>>
>>>>
>>>> _______________________________________________
>>>> P2PSIP mailing list
>>>> P2PSIP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/p2psip
> 
> 

- -- 
Marc Petit-Huguenin
Personal email: marc@petit-huguenin.org
Professional email: petithug@acm.org
Blog: http://blog.marc.petit-huguenin.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4OTbsACgkQ9RoMZyVa61fT2wCgqvIOHjARLO47zfHLRTYFrgt7
XYYAn1tF6/fhwO0bfttpuy4ELx3c0kjC
=NS7V
-----END PGP SIGNATURE-----

v2.8.7 | Report a Bug | By Email