Re: [Secret] Questions and comments on tigress charter
Dmitry Vinokurov <dvinokurov@apple.com> Fri, 08 July 2022 17:40 UTC
Return-Path: <dvinokurov@apple.com>
X-Original-To: secret@ietfa.amsl.com
Delivered-To: secret@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D71EC1594A9 for <secret@ietfa.amsl.com>; Fri, 8 Jul 2022 10:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.852
X-Spam-Level:
X-Spam-Status: No, score=-2.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEIvI3f8LzFY for <secret@ietfa.amsl.com>; Fri, 8 Jul 2022 10:40:26 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47BF3C15A725 for <secret@ietf.org>; Fri, 8 Jul 2022 10:40:00 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 268HcMLQ039947 for <secret@ietf.org>; Fri, 8 Jul 2022 10:39:59 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : content-type : mime-version : subject : date : references : to : in-reply-to : message-id; s=20180706; bh=bF5sYrmR+Y0AwTNfk7uYs/2tLAxhwmmbaT7WXkMfVf0=; b=os4MvDOr5TnGc9Fuw8AQJwh/GkZK36+b8Oo3ceX0H5JImS4FxjzneNWf99982EOdrS9e dmNXwe/xFQWe34i7aVnWiWTMXR6a618H1WwJWOxk8LhDVfT07EEkwvYUN2dS7nGPCuO3 XUjfu9dYZLsA40MHehXmKX0SD1vvfKa1D5okWeTpwXpRMSIApZ+4ncJhHmSZJg2YCj2u QaMszF93FNuPzq6NSOs1WGxkwzSfrjyB1lL+jBS8BiMmNAcFIZtXefT0pPkXG+RNJx4x I7K44AtpvLEdvO4hvQZFwwUjXDwewyCMy4pAHrQwJqDwi0RuQBr9U7UhiSxDRvyGO9rC /A==
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 3h4ubx9krs-15 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <secret@ietf.org>; Fri, 08 Jul 2022 10:39:59 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPS id <0REP00GYVQEMEDF0@rn-mailsvcp-mta-lapp04.rno.apple.com> for secret@ietf.org; Fri, 08 Jul 2022 10:39:58 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) id <0REP00I00QALW500@rn-mailsvcp-mmp-lapp04.rno.apple.com> for secret@ietf.org; Fri, 08 Jul 2022 10:39:58 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 2a3e8a854bc1bbd3eec9719f68b9d1ab
X-Va-E-CD: fad2aba7823d39400d363b1318b61c94
X-Va-R-CD: 6f5ccf26b3dcb66696fd7cddaf05c8c4
X-Va-CD: 0
X-Va-ID: ada4fff0-fecd-4ac0-912a-6d8ae8d3b8b8
X-V-A:
X-V-T-CD: 2a3e8a854bc1bbd3eec9719f68b9d1ab
X-V-E-CD: fad2aba7823d39400d363b1318b61c94
X-V-R-CD: 6f5ccf26b3dcb66696fd7cddaf05c8c4
X-V-CD: 0
X-V-ID: 548a1d52-faf0-45af-8568-c06e3744f7f0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-07-08_14:2022-07-08, 2022-07-08 signatures=0
Received: from smtpclient.apple ([17.233.26.12]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPSA id <0REP00L30QEI7L00@rn-mailsvcp-mmp-lapp04.rno.apple.com> for secret@ietf.org; Fri, 08 Jul 2022 10:39:57 -0700 (PDT)
From: Dmitry Vinokurov <dvinokurov@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_5387306E-A41E-4B56-9675-2CD593715FF3"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Fri, 08 Jul 2022 10:39:53 -0700
References: <mailman.54.1656874803.14091.secret@ietf.org>
To: secret@ietf.org
In-reply-to: <mailman.54.1656874803.14091.secret@ietf.org>
Message-id: <7653D129-CA9A-420F-AB49-CF66EC298521@apple.com>
X-Mailer: Apple Mail (2.3696.100.31)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-07-08_14:2022-07-08, 2022-07-08 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secret/Ku2I4VkXLOka1kcTWEtoOB1kGr8>
Subject: Re: [Secret] Questions and comments on tigress charter
X-BeenThere: secret@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Credential Transfer <secret.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secret>, <mailto:secret-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secret/>
List-Post: <mailto:secret@ietf.org>
List-Help: <mailto:secret-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secret>, <mailto:secret-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 17:40:31 -0000
Hi Jim, Thank you for the review. As you correctly mentioned, the problem of sharing credential is more complex than just giving a key to another person. It is more so taking into account the variety of all types or verticals of credentials - some may use symmetric keys, other asymmetric; some devices require credential provides (authority) that generate new keys, other (home or CCC) generate new keys on device. We specifically did not want to bring into scope the underlying access technologies - such as credential provides, access devices, key generation and provisioning. The focus of this WG is limited to the problem of transferring such credentials from sender to receiver. Provisioning process that follows the transfer is much more complex since is is different not just per vertical (e.g. carKey or home key) but even per certain access technology - e.g. HID or SEOS or CCC. Dmitry Vinokurov > On Jul 3, 2022, at 12:00 PM, secret-request@ietf.org wrote: > > Send Secret mailing list submissions to > secret@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/secret > or, via email, send a message with subject or body 'help' to > secret-request@ietf.org > > You can reach the person managing the list at > secret-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Secret digest..." > Today's Topics: > > 1. Questions and comments on tigress charter (Jim Fenton) > > From: Jim Fenton <fenton@bluepopcorn.net> > Subject: [Secret] Questions and comments on tigress charter > Date: July 2, 2022 at 7:53:50 PM PDT > To: secret@ietf.org > > > I guess I missed the deadline on the call for consensus on the charter, but I have some questions and comments nonetheless. I’m referencing charter-ietf-tigress-00-06 as currently shown on Datatracker. > > When I read through the use cases (giving someone temporary use of my car or letting the cat sitter in my home) I immediately thought of this as an authorization problem. I would normally solve this by giving the public key of the delegated user’s credential to the car or house and telling the car or house to accept that credential for some period of time. Or I might authenticate to the hotel and tell them to accept my spouse’s credential. The flow described in the charter is more complicated, and I assume there’s a good reason for that but I don’t understand what it is. > > The charter also refers to a credential authority, but doesn’t explain anything about it. In the case of the cat sitter, what credential authority is there for my home? This is clearer in the hotel room key example (where presumably the credential authority is the hotel or hotel chain?) but that isn’t the general case here. > > I missed the previous BOF but would like to understand the motivation for this WG better. > > -Jim > > > > > Secret mailing list > Secret@ietf.org > https://www.ietf.org/mailman/listinfo/secret
- [Secret] Questions and comments on tigress charter Jim Fenton
- Re: [Secret] Questions and comments on tigress ch… Dmitry Vinokurov