Re: [Sip] comments on draft-kupwade-sip-iba-00
Dean Willis <dean.willis@softarmor.com> Fri, 29 February 2008 18:15 UTC
Return-Path: <sip-bounces@ietf.org>
X-Original-To: ietfarch-sip-archive@core3.amsl.com
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2E613A6953; Fri, 29 Feb 2008 10:15:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.591
X-Spam-Level:
X-Spam-Status: No, score=-0.591 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vy063cYQHmaT; Fri, 29 Feb 2008 10:15:13 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0529F28C544; Fri, 29 Feb 2008 10:15:13 -0800 (PST)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59C033A6953 for <sip@core3.amsl.com>; Fri, 29 Feb 2008 10:15:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6T90p9ui5PXA for <sip@core3.amsl.com>; Fri, 29 Feb 2008 10:15:06 -0800 (PST)
Received: from nylon.softarmor.com (nylon.softarmor.com [66.135.38.164]) by core3.amsl.com (Postfix) with ESMTP id D8AB028C602 for <sip@ietf.org>; Fri, 29 Feb 2008 10:15:05 -0800 (PST)
Received: from [192.168.2.100] (cpe-76-185-142-113.tx.res.rr.com [76.185.142.113] (may be forged)) (authenticated bits=0) by nylon.softarmor.com (8.13.8/8.13.8/Debian-3) with ESMTP id m1TIEt1k005906 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 29 Feb 2008 12:14:57 -0600
Message-Id: <3CC70159-1B55-4AAC-9B1A-D465ED346ED4@softarmor.com>
From: Dean Willis <dean.willis@softarmor.com>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20080229063214.9E2A35081A@romeo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 29 Feb 2008 12:14:50 -0600
References: <20080227170702.5A5C05081A@romeo.rtfm.com> <132324.81291.qm@web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A@romeo.rtfm.com> <47C7017D.5020301@softarmor.com> <47C7213A.5090000@cisco.com> <57ED2BE6-1A90-4D15-A7E0-8366082BD6BA@softarmor.com> <20080229063214.9E2A35081A@romeo.rtfm.com>
X-Mailer: Apple Mail (2.919.2)
Cc: sip@ietf.org, Michael Thomas <mat@cisco.com>
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
On Feb 29, 2008, at 12:32 AM, Eric Rescorla wrote: > At Thu, 28 Feb 2008 22:54:17 -0600, > Dean Willis wrote: >>> >>> 2. Key discovery: Callers can generate the public key of the >>> callee >>> from the identity (SIP URI) of the callee and vice versa. This >>> eliminates a requirement for a key discovery mechanism using >>> external sources, making deployment significantly easier. >>> >>> Or you can ship the key or cert in the signaling too. >> >> yes, although those keys may be big (a problem for network resource >> constrained environments), AND you have to ship them before they can >> be used for encryption. For signing, I can send my cert along with a >> signed message. But if I'm going to encrypt the message to you, I >> need >> your public key BEFORE sending the message. >> >> Since the IB model generates public keys from SIP URIs, if I have >> enough info on you to send you the message, then I also have enough >> to >> encrypt it. > > Yes, this is a clear advantage of IBE over PKI-based systems. But > as I said, it doesn't apply to IBS. Moreover, if there's any > kind of retargeting, then IBE has real problems. > I see it as applying directly to IBS. Every message carries enough information (without the overhead of carrying a cert) for any recipient in the hierarchy to be able to validate a signature on that message. That's very useful in a P2P sort of world. For example, if you're a peer making an admitting decision, you can validate a signature on an admission request without having to "get" the cert for that user from the DHT. > > >>> 3. Certificate validation: As a result caller or callee need not >>> go >>> through the complex path construction process to retrieve the >>> public keys of a chain of CAs from the public key depositories >>> which are controlled by the respective CAs. This allows >>> deployment in a peer-to-per modality without a need to route >>> SIP >>> messages through a centralized identity service or trust peer >>> nodes to operate as identity services. >>> >>> What is the KG if not a centralized entity? I guess I don't >>> understand this part. >> >> It's a centralized entity, but OUTSIDE of the signaling path. >> Interaction with it is independent of interaction within the >> signaling >> plane. >> >> Consider, for example, a P2PSIP deployment that may initially >> bootstrap in a connected environment. Everybody talks to their PKGs >> and gets keyed up. Then a disaster occurs, people jump in their >> response vehicles, and rush off to the impact zone where they form an >> ad-hoc network. Their keys still work without further access to the >> PKG. >> >> Contrast this to RFC 4474 identity servers, where each SIP request >> has >> to go through a server, where a cryptographic process occurs. This is >> a very load-sensitive centralized device without which the system >> cannot function. > > But this is *by design* because the original system for public key > end-to-end authentication, S/MIME which *did* use end-user > certificates, was determined to be impractical, because--wait for > it--end-entity enrollment was such a PITA. A situation which is > *exactly* the same for IB* systems. But by examination, it's easy to solve for IB systems. You say the same solution can apply to cert-based systems. Why doesn't anyone do it that way? There must be more to it -- maybe just a cognitive gap, but there MUST be some underlying reason or reasons. Skype, for example, has the "feel" of an IB system as I describe it, even though it's really more conventional crypto underneath. But they don't pretend to be a CA. > > > >> Sure, we could do something similar by having the "initial bootstrap" >> include a CA process wherein everbody gets a cert. But now we need a >> way of distributing the certs, either by broadcast or some sort of >> query protocol. Why bother when an identity-based-encryption model >> makes it so much easier? > > Again, you're conflating encryption with data origin authentication. > Yes, this is an advantage of IBE, for encryption. It doesn't make it > any easier for signature however, as noted above. As noted above, it DOES. Anybody who has an identity within the hierarchy can validate signatures on messages without needing to fetch a cert. > > > > >>> 4. Revocation: The ease of minting new identities and discovering >>> keys allows short-lived identities, reducing the need for >>> certificate revocation lists and the checking thereof. This >>> offers very large operational advantages in resource >>> constrained >>> environments. >>> >>> I don't understand why this is "easy". Enrollment is >>> "hard" unless there's something really new here. And >>> if I wanted a short-lived identity, I could just gin >>> up a new public key pair and use that as the identity >>> too. But I thought that the real problem was dealing with >>> long term identities like, oh say, mat@cisco.com. >>> >> >> Secondary enrollment, or at least minting a new identity, is >> relatively easy, While the server load for crypto is comparable to >> that of generating a cert, the amount of data on the wire is much >> smaller. > > Uh, sure. You authenticate to the CA/KG and it sends you your new > credential. In the case of the PKI, you get a new certificate, which > is definitely less than 1KB, but since it's almost exactly the same as > the old cert, what you really need is the new signature, so we can > compress that down to 320-1024 bits, depending on the signature > algorithm. > > In the case of BB signatures, to take one instantiation, the private > key is 320 bits, so we're basically looking at a wash. Except, > of course, that you need to transmit the private key securely > whereas the certificate can be distributed over an insecure > protocol, so once you factor in the overhead of the SSL connection > (or S/MIME, or whatever) you use to distribute the private key, > things start to look a lot worse. Given that we have a two-layer model with permanent and temporary secrets, the permanent secret could be used to encrypt the temporary private key, making it work just like a protected cert. But wait, there's more. There is math available that makes the thing that comes back from the PKG a "partial" key that then has to be combined with the secret held by the user to be useful. As such, the partial key isn't secret -- it can be transmitted in plain text. > -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- [Sip] comments on draft-kupwade-sip-iba-00 Jonathan Rosenberg
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Hadriel Kaplan
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla