Re: [Secauth] Review request- secauth - authentication and authorization - second draft
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 15 September 2014 15:58 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC741A7035 for <secauth@ietfa.amsl.com>; Mon, 15 Sep 2014 08:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_31=0.6, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EawZJHzNExU for <secauth@ietfa.amsl.com>; Mon, 15 Sep 2014 08:58:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B34541A03BD for <secauth@ietf.org>; Mon, 15 Sep 2014 08:47:18 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.116.66]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MWQSM-1XrJWa3U0Q-00XYmu; Mon, 15 Sep 2014 17:47:15 +0200
Message-ID: <54170A00.3060107@gmx.net>
Date: Mon, 15 Sep 2014 17:47:12 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>, "secauth@ietf.org" <secauth@ietf.org>
References: <814D0BFB77D95844A01CA29B44CBF8A7A29685@lhreml513-mbb.china.huawei.com> <53FDDDA2.3070607@freeradius.org> <814D0BFB77D95844A01CA29B44CBF8A7A2A44F@lhreml513-mbb.china.huawei.com> <7BAC95F5A7E67643AAFB2C31BEE662D01EE567EDFD@SC-VEXCH2.marvell.com> <000101cfc768$b26d56b0$17480410$@rozanak.com> <814D0BFB77D95844A01CA29B44CBF8A7A351FE@lhreml513-mbx>
In-Reply-To: <814D0BFB77D95844A01CA29B44CBF8A7A351FE@lhreml513-mbx>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="8DSaKnXs0n39bNef5pORqvpv0j3fib54x"
X-Provags-ID: V03:K0:Y5HZu42FLFsOzPeu7PK7y0ULZOnFW1HB0BG8jH/A0mr7tIzZohr 4+yguXVneHU1KkehcGfQvmE42dFgPNb0iuUDyVUba0ajM8CL18CW0Gi/azm/p+YkrINEliq RNgs4UBQ5HLUixNvjCdCSRRG0g6Q/2m6BEpxQq/c67X3lpV2byZHFFL5o3cSQgCGFHFXT2A rSET+zwC99wnWyxO0orpQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/oXPWa4l43_r__wx9hI89Zr7f7b4
Subject: Re: [Secauth] Review request- secauth - authentication and authorization - second draft
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 15:58:55 -0000
Hi Hosnieh, I just took a quick look at the scenarios. Comments are inline: ---- 3. Use cases The following subsections explain different use case scenarios. 3.1. Verification of a User to an Application Over the Network Alice turned on the wash machine at home and then went to work. Alice can check the status of this wash machine using an application on her Smartphone remotely at company x. Wash machine doesn?t support any certificates signed by a CA. Alice needs to be authenticated in the wash machine and wash machine needs to trust Alice to allow her control it. [hannes] Take a look at the ACE use case document. This use case sounds very similar to what we are trying to address. Here is the pointer to the use case document: http://tools.ietf.org/html/draft-seitz-ace-usecases-01 3.2. Home User Behind Firewall or a Proxy Server Alice?s device is behind a firewall or a proxy server. Alice wants to use an application that uses SIP protocol to contact Bob. Bob rejects any unknown calls to avoid advertisements/spam. Proxy server needs to verify Alice and send the information to Bob?s device [hannes] Hasn't this been solved already with the work on SIP? 3.3. Home Gateway/Device with an Static IP Address (Valid IP) Scenario 1: Alice needs to control its home gateway and add new rules so that she can access a device inside her home network. Alice remotely connects to this device. This device doesn?t support any valid CA. The device needs to authenticate Alice before lets it control this device and add/modify any new rule to this device. [hannes] Today this issue is solved by either connecting to the device in a special way (when you install it) and then provision your username/password or you use some other pairing procedure (such as entering info that is printed on the bottom of the device). These pairing procedures are interesting but they often relate to the radio technology that is being used (compare Bluetooth vs. WiFi) and then there are various technologies that have been explored (and standardized already). Scenario 2: Alice?s wash machine technically has a problem. Its application was configured by the vendors? in a way to report this problem automatically to a technical service (repair place). Both the technical service application and wash machine need to authenticate each other so that they can trust and exchange information. [hannes] This is not a common use today but what is common is that devices get provisioned with long-term keys during the manufacturing / provisioning process and then they talk to the websites of the manufacturer. In fact, this is the most common deployment model of IoT appliances today. 3.4. Verification of an App. to an App. Over the Network [hannes] I don't know a lot about these use cases since I did not follow the OpenFlow work. So, I will skip those. ---- Ciao Hannes On 09/15/2014 05:22 PM, Hosnieh Rafiee wrote: > Hello, > > I have revised the secauth requirement and use case draft. I would appreciate your inputs on this new version. > > I am going to upload after receiving more feedback > The current pre-upload version can be found here: > > < http://editor.rozanak.com/show.aspx?u=AZ6AA4BFD809BB71B2544CTAM > > > @Paul, Viktor: would you please check to see whether the document is clear and satisfy the changes you have asked. > > @folks: I welcome more comments before uploading new version. Please share your inputs on editorial, document organization or technical. > > Thanks, > Best, > Hosnieh > > > _______________________________________________ > Secauth mailing list > Secauth@ietf.org > https://www.ietf.org/mailman/listinfo/secauth >
- [Secauth] secauth - authentication and authorizat… Hosnieh Rafiee
- [Secauth] Review request- secauth - authenticatio… Hosnieh Rafiee
- Re: [Secauth] [saag] Review request- secauth - au… Hosnieh Rafiee
- Re: [Secauth] [saag] Review request- secauth - au… Hosnieh Rafiee
- [Secauth] Review request- secauth - authenticatio… Hosnieh Rafiee
- Re: [Secauth] Review request- secauth - authentic… Hannes Tschofenig
- Re: [Secauth] Review request- secauth - authentic… Hosnieh Rafiee
- Re: [Secauth] Review request- secauth - authentic… Hannes Tschofenig
- Re: [Secauth] Review request- secauth - authentic… Hosnieh Rafiee
- [Secauth] Review request- secauth - authenticatio… Hosnieh Rafiee
- Re: [Secauth] Review request- secauth - authentic… Hannes Tschofenig
- Re: [Secauth] Review request- secauth - authentic… Hosnieh Rafiee