[plasma] Plasma Use Cases - B2B
"James Schaad" <jimsch@nwlink.com> Fri, 08 April 2011 18:00 UTC
Return-Path: <jimsch@nwlink.com>
X-Original-To: plasma@core3.amsl.com
Delivered-To: plasma@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5CD6B3A69F4 for <plasma@core3.amsl.com>; Fri, 8 Apr 2011 11:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN0qHXn4qbc9 for <plasma@core3.amsl.com>; Fri, 8 Apr 2011 11:00:30 -0700 (PDT)
Received: from new-smtp01.pacifier.net (new-smtp01.pacifier.net [64.255.237.177]) by core3.amsl.com (Postfix) with ESMTP id 132563A68E0 for <plasma@ietf.org>; Fri, 8 Apr 2011 11:00:28 -0700 (PDT)
Received: from TITUS (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by new-smtp01.pacifier.net (Postfix) with ESMTPS id 8691B2CA58 for <plasma@ietf.org>; Fri, 8 Apr 2011 11:02:14 -0700 (PDT)
From: James Schaad <jimsch@nwlink.com>
To: plasma@ietf.org
Date: Fri, 08 Apr 2011 11:27:24 -0700
Message-ID: <004e01cbf61a$9ba167a0$d2e436e0$@nwlink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Acv2D4Oy18LYwI0kTOyX2t+XCNIyYg==
Content-Language: en-us
Subject: [plasma] Plasma Use Cases - B2B
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 18:00:31 -0000
Going back to the set of use cases in the draft. I am going to propose a greater set of cases that need to be looked at. Since I am still of the opinion that ABFAB provides a good architecture to build on, the terminology that I am going to use is what I consider to be the best ABFAB terms (they sometimes get themselves mixed up by multiple naming). Cases: 1. Everybody is located in one location Sender, Receiver (both subjects), RP and IdP are logically in the same location. In this case normal ABFAB processing works as everybody can easily understand what is being asked for and there is a single set of attributes that would be defined for usage. In addition to using the IdP w/EAP to get identity information, it would be avoid talking to the IdP in some situations either because of a prior communication w/ the RP. Additionally one could see the identification operation being done by the use of a locally assigned ticket when accessing the current domain (i.e. a Kerberos ticket or authenticated RPC). It would also be possible to use PKI rather than EAP as the authentication feature w/ the use of attribute certificates. 2. Sender and Receiver at different locations Location A - Sender, RP, IdP_A Location B - Receiver, IdP_B The IdPs are run by the same organization, and thus will have the same basic information. The IdPs might in fact be replications of each other (on the assumption that a person from location B should be able to login at location A). Issues that need to be address in this case are: a) What happens if the attributes that can be attested by the different IdPs are different? b) What happens if the IdPs are currently out of sync? c) What logic is needed to identify the other IdP if needed. Does this need to be supported by AAA or not? 3. Sender and Receiver at different locations - different IdP systems Location A - Sender, RP, IdP_A Location B - Receiver, IdP_B The IdPs are run by different organizations, but they have some type of basic federation infrastructure which establishes both a trust relationship as well as a policy mapping system for policy decisions. This is the classic ABFAB case. 4. Sender and Receiver at different locations - multiple RPs Location A - Sender, RP_a, IdP_A Location B - Receiver, RP_b, IdP_B In this case it is assumed that each RP is a replicate of the other (although with different keys) and that the same policy code is installed on both system. If the IdPs are not replicates, then it is assumed that the policy module at each location understand the necessary mapping of attributes. The RP_a would include lock boxes for both RP_a and RP_b in the message so that works seamlessly. In some cases the sender and receiver could be in different companies. In this case there would be questions if RP_b was under the control of company A or company B. In the first case we keep the same set of legal and fiscal liabilities - i.e. the PDP is still under the control of company A. In the second case the information release would under the control of company B which might cause problems, but would be more acceptable from a system maintenance point. (Keeping the RP_b in a DMZ might deal with some of these issues.) 5. Sender and Receiver at different locations - receiver does not have its own IdP. Location A - Sender, RP, IdP_A, IdP_external Location B - Receiver In this case there is an agreement between the two entities, but it is not a federation arrangement. Instead an IdP is provided by the sender's organization to a set of individuals external to the location by which those individuals can identify themselves to the RP. Are there other B2B cases that people can think of? Jim
- [plasma] Plasma Use Cases - B2B James Schaad