[Spud] Declarations: Authentication and encryption

Szilveszter Nadas <Szilveszter.Nadas@ericsson.com> Thu, 05 March 2015 16:56 UTC

Return-Path: <Szilveszter.Nadas@ericsson.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B05681A037F for <spud@ietfa.amsl.com>; Thu, 5 Mar 2015 08:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qvVIrB0Wjs00 for <spud@ietfa.amsl.com>; Thu, 5 Mar 2015 08:56:03 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B309E1A0065 for <spud@ietf.org>; Thu, 5 Mar 2015 08:55:51 -0800 (PST)
X-AuditID: c1b4fb25-f79b76d00000113a-6a-54f88a95d540
Received: from ESESSHC019.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 20.1D.04410.59A88F45; Thu, 5 Mar 2015 17:55:50 +0100 (CET)
Received: from ESESSMB303.ericsson.se ([169.254.3.70]) by ESESSHC019.ericsson.se ([153.88.183.75]) with mapi id 14.03.0210.002; Thu, 5 Mar 2015 17:55:49 +0100
From: Szilveszter Nadas <Szilveszter.Nadas@ericsson.com>
To: "spud@ietf.org" <spud@ietf.org>
Thread-Topic: Declarations: Authentication and encryption
Thread-Index: AdBXY2MAP8c8eV5hRTutLmFxuvIZQg==
Date: Thu, 5 Mar 2015 16:55:49 +0000
Message-ID: <EA4C43BE752A194597B002779DF69BAE23C9FBE5@ESESSMB303.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.20]
Content-Type: multipart/alternative; boundary="_000_EA4C43BE752A194597B002779DF69BAE23C9FBE5ESESSMB303erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRmVeSWpSXmKPExsUyM+Jvje60rh8hBtNaWCwWXXjK6MDosWTJ T6YAxigum5TUnMyy1CJ9uwSujFPvHrEUHFOp+HJ7FlsD43H5LkZODgkBE4lvd3qYIGwxiQv3 1rN1MXJxCAkcYZRYvW4dK4SziFHi2aa/rCBVbAIWEg0rN7OB2CICyhJr7yxiB7GFgSatPfSG BSJuKXHm7QMoW0+i+UkjUC8HB4uAisTn13UgYV4BX4mbC3rBxjACLf5+ag3YEcwC4hK3nsyH OkhAYsme88wQtqjEy8f/WCFsRYmr05dD1edLrLg/mwVipqDEyZlPWCYwCs1CMmoWkrJZSMog 4joSC3Z/YoOwtSWWLXzNDGOfOfCYCVl8ASP7KkbR4tTipNx0I2O91KLM5OLi/Dy9vNSSTYzA mDi45bfqDsbLbxwPMQpwMCrx8Bbk/wgRYk0sK67MPcQozcGiJM5rZ3woREggPbEkNTs1tSC1 KL6oNCe1+BAjEwenVANjj11Pz9ROvRJ234KWR5lRuu8YWX+sPPUxvrrjYbGiKG/4Cu7Ize83 2rTeOxD03PSPwLN17T8Co9aYTJ0efixr5Z6vml+PGIqY/cp8KeYqf9/fo2j2iYbamxPMGjrZ Xa4rut4N2rXj7bone1xkKlkzJ3QnClaXN7z79aBegyFnm+W0e1KJJ58qsRRnJBpqMRcVJwIA a0mUoWoCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/YYfa7N3xGuFmcyzvE__oc0Lp0rk>
Subject: [Spud] Declarations: Authentication and encryption
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 16:56:05 -0000

Hi,

I am aware that security is not the main scope at the moment, but still I am interested about opinions about this.

The principle of declarations is to "trust but verify". I think still authentication can help this trust quite much. If the two points communicating have some relationship or history and have a proof about their identity a more "brave" trust can be the default behavior. Verification of declarations can still happen. Also authentication can be verified by the middlebox, even after choosing appropriate actions based on the content of the declarations so not delaying the flow and deceisons.

The other thing is that I see the privacy of both endhosts and of middleboxes important. Middleboxes might not want to allow others (e.g. other middleboxes) to collect data about their answers as these are partly consequences of business decisions. Endpoints might have similar concerns. Encryption can easily solve this.

In summary what do you think about authentication and encryption of declarations?

Cheers,
Szilveszter