[plasma] PEPs, authentication, and attributes
"Fitch, Scott C" <scott.c.fitch@lmco.com> Tue, 25 October 2011 17:16 UTC
Return-Path: <scott.c.fitch@lmco.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63A1621F84A7 for <plasma@ietfa.amsl.com>; Tue, 25 Oct 2011 10:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tHEyyLaL+Oe for <plasma@ietfa.amsl.com>; Tue, 25 Oct 2011 10:15:59 -0700 (PDT)
Received: from mailfo01.lmco.com (mailfo01.lmco.com [192.31.106.12]) by ietfa.amsl.com (Postfix) with ESMTP id D07E221F85A8 for <plasma@ietf.org>; Tue, 25 Oct 2011 10:15:59 -0700 (PDT)
Received: from mailgw1a.lmco.com (ppalertrelay.lmco.com [192.31.106.7]) by mailfo01.lmco.com (8.14.3/8.14.3) with ESMTP id p9PHFxI2020416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <plasma@ietf.org>; Tue, 25 Oct 2011 18:15:59 +0100
Received: from emss02g01.ems.lmco.com (relay2.ems.lmco.com [166.29.2.54])by mailgw1a.lmco.com (LM-6) with ESMTP id p9PHFwZg003129for <plasma@ietf.org>; Tue, 25 Oct 2011 11:15:59 -0600 (MDT)
Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.4 #31805) id <0LTM00K01TAMG0@lmco.com> for plasma@ietf.org; Tue, 25 Oct 2011 17:15:58 +0000 (GMT)
Received: from HDXHTPN7.us.lmco.com ([158.188.83.14]) by lmco.com (PMDF V6.4 #31805) with ESMTP id <0LTM009Y9TACNG@lmco.com> for plasma@ietf.org; Tue, 25 Oct 2011 17:15:48 +0000 (GMT)
Received: from HDXDSP11.us.lmco.com ([fe80::c04a:c222:3486:3e3]) by HDXHTPN7.us.lmco.com ([fe80::f1:ff4b:90a4:695%14]) with mapi id 14.01.0289.001; Tue, 25 Oct 2011 11:15:48 -0600
Date: Tue, 25 Oct 2011 17:15:48 +0000
From: "Fitch, Scott C" <scott.c.fitch@lmco.com>
X-Originating-IP: [158.188.95.7]
To: "plasma@ietf.org" <plasma@ietf.org>
Message-id: <DFE85D7EFA640D4886E9A9141AEBCD200A097B38@HDXDSP11.us.lmco.com>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-language: en-US
Content-transfer-encoding: 7bit
Thread-Topic: PEPs, authentication, and attributes
Thread-Index: AcyTMNeMJIyckKYkTc+x471Qa9C0Nw==
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813, 1.0.211, 0.0.0000 definitions=2011-10-25_05:2011-10-25, 2011-10-25, 1970-01-01 signatures=0
Subject: [plasma] PEPs, authentication, and attributes
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2011 17:16:00 -0000
(The first of several threads on the v03 of the requirements document. Overall, I really like what I see.)
Section 4.3 outlines the steps that the Content Consumption PEP and PDP following to read a plasma-protected email. The sequence doesn't specify an authentication step for the PEP to the PDP. It seems to me that the PDP will want not only attributes about the message recipient, but also evidence that the recipient is actually there at the other end of the wire.
I see two possibilities here. First option is to have the PEP authenticate to the PDP at first concept in step (C). Or it can authenticate once the PDP asks for more attributes in step (E). I think I favor the first option, but am interested in others' view on this too. A few factors make me lean this direction:
- This prevents the PDP from having to process any unauthenticated requests
- If plasma implementations follow the federation model of SAML and WS-Fed, the recipient will have a trust relationship that defines a (baseline) set of attributes that can be sent to the PDP. This (hopefully) will reduce the instances that a PDP needs to ask the PEP to provide more attributes in step (E).
- Where the PDP will be using a back-end attribute retrieval such as a SAML AttributeQuery, it will need to know something about the subject in order to be able to construct the query and possible to determine which PIP to query in the first place.
Also related to attribute retrieval, I recommend tweaking the Back end Attribute Exchange definition to explain that this is a *query and retrieval* of attributes initiated by the PDP. The current definition implies that the information is sent from the PIP to the PDP, which from a data flow perspective is accurate, but from a security and implementation perspective doesn't accurately describe the communications.
-Scott
Scott Fitch
Cyber Architect
Lockheed Martin Corporate Information Security
m: (860) 614-6013
w: (860) 868-9947
scott.c.fitch@lmco.com
- [plasma] PEPs, authentication, and attributes Fitch, Scott C