IETF Logo Mail Archive

Re: [Sip] comments on draft-kupwade-sip-iba-00

Dean Willis <dean.willis@softarmor.com> Fri, 29 February 2008 18:15 UTC

Return-Path: <sip-bounces@ietf.org>
X-Original-To: ietfarch-sip-archive@core3.amsl.com
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2E613A6953; Fri, 29 Feb 2008 10:15:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.591
X-Spam-Level:
X-Spam-Status: No, score=-0.591 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vy063cYQHmaT; Fri, 29 Feb 2008 10:15:13 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0529F28C544; Fri, 29 Feb 2008 10:15:13 -0800 (PST)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59C033A6953 for <sip@core3.amsl.com>; Fri, 29 Feb 2008 10:15:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6T90p9ui5PXA for <sip@core3.amsl.com>; Fri, 29 Feb 2008 10:15:06 -0800 (PST)
Received: from nylon.softarmor.com (nylon.softarmor.com [66.135.38.164]) by core3.amsl.com (Postfix) with ESMTP id D8AB028C602 for <sip@ietf.org>; Fri, 29 Feb 2008 10:15:05 -0800 (PST)
Received: from [192.168.2.100] (cpe-76-185-142-113.tx.res.rr.com [76.185.142.113] (may be forged)) (authenticated bits=0) by nylon.softarmor.com (8.13.8/8.13.8/Debian-3) with ESMTP id m1TIEt1k005906 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 29 Feb 2008 12:14:57 -0600
Message-Id: <3CC70159-1B55-4AAC-9B1A-D465ED346ED4@softarmor.com>
From: Dean Willis <dean.willis@softarmor.com>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20080229063214.9E2A35081A@romeo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 29 Feb 2008 12:14:50 -0600
References: <20080227170702.5A5C05081A@romeo.rtfm.com> <132324.81291.qm@web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A@romeo.rtfm.com> <47C7017D.5020301@softarmor.com> <47C7213A.5090000@cisco.com> <57ED2BE6-1A90-4D15-A7E0-8366082BD6BA@softarmor.com> <20080229063214.9E2A35081A@romeo.rtfm.com>
X-Mailer: Apple Mail (2.919.2)
Cc: sip@ietf.org, Michael Thomas <mat@cisco.com>
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org

On Feb 29, 2008, at 12:32 AM, Eric Rescorla wrote:

> At Thu, 28 Feb 2008 22:54:17 -0600,
> Dean Willis wrote:
>>>
>>>  2.  Key discovery: Callers can generate the public key of the  
>>> callee
>>>      from the identity (SIP URI) of the callee and vice versa.  This
>>>      eliminates a requirement for a key discovery mechanism using
>>>      external sources, making deployment significantly easier.
>>>
>>> Or you can ship the key or cert in the signaling too.
>>
>> yes, although those keys may be big (a problem for network resource
>> constrained environments), AND you have to ship them before they can
>> be used for encryption. For signing, I can send my cert along with a
>> signed message. But if I'm going to encrypt the message to you, I  
>> need
>> your public  key BEFORE sending the message.
>>
>> Since the IB model generates public keys from SIP URIs, if I have
>> enough info on you to send you the message, then I also have enough  
>> to
>> encrypt it.
>
> Yes, this is a clear advantage of IBE over PKI-based systems. But
> as I said, it doesn't apply to IBS. Moreover, if there's any
> kind of retargeting, then IBE has real problems.
>

I see it as applying directly to IBS. Every message carries enough  
information (without the overhead of carrying a cert) for any  
recipient in the hierarchy to be able to validate a signature on that  
message. That's very useful in a P2P sort of world.

For example, if you're a peer making an admitting decision, you can  
validate a signature on an admission request without having to "get"  
the cert for that user from the DHT.

>
>
>>>  3.  Certificate validation: As a result caller or callee need not  
>>> go
>>>      through the complex path construction process to retrieve the
>>>      public keys of a chain of CAs from the public key depositories
>>>      which are controlled by the respective CAs.  This allows
>>>      deployment in a peer-to-per modality without a need to route  
>>> SIP
>>>      messages through a centralized identity service or trust peer
>>>      nodes to operate as identity services.
>>>
>>> What is the KG if not a centralized entity? I guess I don't
>>> understand this part.
>>
>> It's a centralized entity, but OUTSIDE of the signaling path.
>> Interaction with it is independent of interaction within the  
>> signaling
>> plane.
>>
>> Consider, for example, a P2PSIP deployment that may initially
>> bootstrap in a connected environment. Everybody talks to their PKGs
>> and gets keyed up. Then a disaster occurs, people jump in their
>> response vehicles, and rush off to the impact zone where they form an
>> ad-hoc network. Their keys still work without further access to the  
>> PKG.
>>
>> Contrast this to RFC 4474 identity servers, where each SIP request  
>> has
>> to go through a server, where a cryptographic process occurs. This is
>> a very load-sensitive centralized device without which the system
>> cannot function.
>
> But this is *by design* because the original system for public key
> end-to-end authentication, S/MIME which *did* use end-user
> certificates, was determined to be impractical, because--wait for
> it--end-entity enrollment was such a PITA. A situation which is
> *exactly* the same for IB* systems.

But by examination, it's easy to solve for IB systems. You say the  
same solution can apply to cert-based systems.

Why doesn't anyone do it that way? There must be more to it -- maybe  
just a cognitive gap, but there MUST be some underlying reason or  
reasons.

Skype, for example, has the "feel" of an IB system as I describe it,  
even though it's really more conventional crypto underneath. But they  
don't pretend to be a CA.

>
>
>
>> Sure, we could do something similar by having the "initial bootstrap"
>> include a CA process wherein everbody gets a cert. But now we need a
>> way of distributing the certs, either by broadcast or some sort of
>> query protocol. Why bother when an identity-based-encryption model
>> makes it so much easier?
>
> Again, you're conflating encryption with data origin authentication.
> Yes, this is an advantage of IBE, for encryption. It doesn't make it
> any easier for signature however, as noted above.

As noted above, it DOES. Anybody who has an identity within the  
hierarchy can validate signatures on messages without needing to fetch  
a cert.

>
>
>
>
>>>  4.  Revocation: The ease of minting new identities and discovering
>>>      keys allows short-lived identities, reducing the need for
>>>      certificate revocation lists and the checking thereof.  This
>>>      offers very large operational advantages in resource  
>>> constrained
>>>      environments.
>>>
>>> I don't understand why this is "easy". Enrollment is
>>> "hard" unless there's something really new here. And
>>> if I wanted a short-lived identity, I could just gin
>>> up a new public key pair and use that as the identity
>>> too. But I thought that the real problem was dealing with
>>> long term identities like, oh say, mat@cisco.com.
>>>
>>
>> Secondary enrollment, or at least minting a new identity, is
>> relatively easy, While the server load for crypto is comparable to
>> that of generating a cert, the amount of data on the wire is much
>> smaller.
>
> Uh, sure. You authenticate to the CA/KG and it sends you your new
> credential. In the case of the PKI, you get a new certificate, which
> is definitely less than 1KB, but since it's almost exactly the same as
> the old cert, what you really need is the new signature, so we can
> compress that down to 320-1024 bits, depending on the signature
> algorithm.
>
> In the case of BB signatures, to take one instantiation, the private
> key is 320 bits, so we're basically looking at a wash. Except,
> of course, that you need to transmit the private key securely
> whereas the certificate can be distributed over an insecure
> protocol, so once you factor in the overhead of the SSL connection
> (or S/MIME, or whatever) you use to distribute the private key,
> things start to look a lot worse.

Given that we have a two-layer model with permanent and temporary  
secrets, the permanent secret could be used to encrypt the temporary  
private key, making it work just like a protected cert.

But wait, there's more. There is math available that makes the thing  
that comes back from the PKG a "partial" key that then has to be  
combined with the secret held by the user to be useful. As such, the  
partial key isn't secret -- it can be transmitted in plain text.
>
--
Dean

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email