IETF Logo Mail Archive

Re: [Secauth] Review request- secauth - authentication and authorization - second draft

Hosnieh Rafiee <hosnieh.rafiee@huawei.com> Mon, 15 September 2014 16:57 UTC

Return-Path: <hosnieh.rafiee@huawei.com>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BAD01A897D for <secauth@ietfa.amsl.com>; Mon, 15 Sep 2014 09:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.253
X-Spam-Level:
X-Spam-Status: No, score=-5.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBKreoE1YNTS for <secauth@ietfa.amsl.com>; Mon, 15 Sep 2014 09:57:44 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4769D1A898F for <secauth@ietf.org>; Mon, 15 Sep 2014 09:23:57 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BMQ14754; Mon, 15 Sep 2014 16:23:54 +0000 (GMT)
Received: from LHREML513-MBX.china.huawei.com ([10.201.4.199]) by lhreml404-hub.china.huawei.com ([::1]) with mapi id 14.03.0158.001; Mon, 15 Sep 2014 17:23:48 +0100
From: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [Secauth] Review request- secauth - authentication and authorization - second draft
Thread-Index: AQHP0Pjem6xKx/YzMUuAvU7OwT31FJwCResAgAATAxA=
Date: Mon, 15 Sep 2014 16:23:48 +0000
Message-ID: <814D0BFB77D95844A01CA29B44CBF8A7A35A41@lhreml513-mbx>
References: <814D0BFB77D95844A01CA29B44CBF8A7A29685@lhreml513-mbb.china.huawei.com> <53FDDDA2.3070607@freeradius.org> <814D0BFB77D95844A01CA29B44CBF8A7A2A44F@lhreml513-mbb.china.huawei.com> <7BAC95F5A7E67643AAFB2C31BEE662D01EE567EDFD@SC-VEXCH2.marvell.com> <000101cfc768$b26d56b0$17480410$@rozanak.com> <814D0BFB77D95844A01CA29B44CBF8A7A351FE@lhreml513-mbx> <54170A00.3060107@gmx.net>
In-Reply-To: <54170A00.3060107@gmx.net>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.221.82.100]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/MUZDnrcgUpc75p5iyVMoAqEi1ao
Cc: "secauth@ietf.org" <secauth@ietf.org>
Subject: Re: [Secauth] Review request- secauth - authentication and authorization - second draft
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 16:57:45 -0000

Hi Hannes,

Thanks a lot for your comment that I really appreciated. Please find my responses inline.

> 
> [hannes] Take a look at the ACE use case document. This use case sounds
> very similar to what we are trying to address. Here is the pointer to
> the use case document:
> http://tools.ietf.org/html/draft-seitz-ace-usecases-01

The scope of them are not the same. secauth covers greater scope than ACE.  As far as I can remember (if my memory helps) both group was initiated almost at the first time but ACE focused on constrained devices and the main focus of secauth is the use of network layer security for first point of trust in different use cases. In other words, you can combine it with other approaches if it is necessary -- OAuth, ACE, etc.

I think ACE is a protocol and secauth is at the moment an API.


> 
> [hannes] Hasn't this been solved already with the work on SIP?

As far as I know there was a draft that aimed to use IPsec and I explained in the draft about the use of IPsec. I haven't seen other works. Probably I missed them. If there are please share the links and I would review and compare with secauth. Secauth wants to be simple and easy because automation is also the purpose.


> [hannes] Today this issue is solved by either connecting to the device
> in a special way (when you install it) and then provision your
> username/password or you use some other pairing procedure (such as
> entering info that is printed on the bottom of the device).

The use of secauth doesn't necessarily reduce the need of passwords. You can use two level authentication and authorization. The other case is that what if you need to change your IP or other parameters? Do you need to reconfigure manually? This is again what I plan to address.

> These pairing procedures are interesting but they often relate to the
> radio technology that is being used (compare Bluetooth vs. WiFi) and
> then there are various technologies that have been explored (and
> standardized already).

True. But I also considered them in the introduction and problem statement. The various security approaches that are used and as far as I know the first point of trust is already the main problem. It is difficult to close that gap completely but we can eliminate this gap by the use of secauth.


> Scenario 2: Alice?s wash machine technically has a problem. Its
> application was configured by the vendors? in a way to report this
> problem automatically to a technical service (repair place). Both the
> technical service application and wash machine need to authenticate
> each other so that they can trust and exchange information.
> 
> [hannes] This is not a common use today but what is common is that
> devices get provisioned with long-term keys during the manufacturing /
> provisioning process and then they talk to the websites of the
> manufacturer. In fact, this is the most common deployment model of IoT
> appliances today.

I read an article two days ago that there are already some vendors that have smart home devices that send information to the technical site. So, this is already in use but with... unsure level of security. This was the case I also considered it as one of the important use cases. 

> 3.4.  Verification of an App. to an App. Over the Network
> 
> [hannes] I don't know a lot about these use cases since I did not
> follow the OpenFlow work. So, I will skip those.
> 

SDN/NFV are quite new and there are still working on progress for their security. So secauth can be an answer to the authentication and authorization. 

I hope I could answer your concerns. If not please let me know where I did not.

Thanks,
Best,
Hosnieh

v2.23.0 | Report a Bug | By Email