IETF Logo Mail Archive

Re: [Trust-router] Considering delaying BOF Request

Sam Hartman <hartmans@painless-security.com> Fri, 17 May 2013 13:08 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: trust-router@ietfa.amsl.com
Delivered-To: trust-router@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA62321F8618 for <trust-router@ietfa.amsl.com>; Fri, 17 May 2013 06:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fLCkGxoI8Jl for <trust-router@ietfa.amsl.com>; Fri, 17 May 2013 06:08:31 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 6397721F8616 for <trust-router@ietf.org>; Fri, 17 May 2013 06:08:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 2EB002057B; Fri, 17 May 2013 09:05:38 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id py-23C8q8tPX; Fri, 17 May 2013 09:05:37 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Fri, 17 May 2013 09:05:37 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DE9DC440A; Fri, 17 May 2013 09:08:22 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: David Chadwick <d.w.chadwick@kent.ac.uk>
References: <CDBA7A25.23081%josh.howlett@ja.net> <5194F38F.2050906@kent.ac.uk> <tsltxm3c5tl.fsf@mit.edu> <51950119.1080600@kent.ac.uk> <tslhai2b40m.fsf@mit.edu> <5195DDFE.9000907@kent.ac.uk>
Date: Fri, 17 May 2013 09:08:22 -0400
In-Reply-To: <5195DDFE.9000907@kent.ac.uk> (David Chadwick's message of "Fri, 17 May 2013 08:36:30 +0100")
Message-ID: <tsl4ne1bvp5.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Josh Howlett <Josh.Howlett@ja.net>, "trust-router@ietf.org" <trust-router@ietf.org>
Subject: Re: [Trust-router] Considering delaying BOF Request
X-BeenThere: trust-router@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "ABFAB Trust Router discussion list." <trust-router.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trust-router>, <mailto:trust-router-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trust-router>
List-Post: <mailto:trust-router@ietf.org>
List-Help: <mailto:trust-router-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trust-router>, <mailto:trust-router-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 13:08:37 -0000

>>>>> "David" == David Chadwick <d.w.chadwick@kent.ac.uk> writes:

I've read Josh's responses; I want to take a slightly different approach
in responding here focusing on the protocol; on the moonshot-community
list I'd focus on the pilot.

    David> Having a Janet hosted community may be too restrictive. We
    David> need to be able to move to model that gives the freedom of
    David> the grid VOMS capability, but on an Internet scale, and
    David> without needing to run a separate VOMS server.

It would be valuable if you'd write up this use case including
 requirements as an internet draft.
I think that would be very useful in the trust router BOF context.


    David> Why do I think a Janet hosted community too restrictive?
    David> Because I might want to set up a COI containing people from
    David> Europe, Australia and China who I work with. So their IdPs
    David> will need to join the community.

So, when I say Janet-hosted community I mean that  the routes in that
community will be injected by Janet-controlled trust routers.
Regardless of who injects the routes, routes to any IDP can be injected.

    David> So we need an Internet wide base community that provides
    David> generic interconnectivity at the federation level between all
    David> IdPs and SPs, in much the same way that IP does at the
    David> network level. Then any and every specialised community of
    David> interest can be built on top of this. The 

Yes, but we were talking about how to manage communities of interest.
The base community is an APC (authentication policy community), not a
COI.

You're absolutely right that for scaling reasons some APCs will require
delegation.
The base APC is definitely such.

It's possible some large COIs will require this as well.
I've been unable to find a use case for a COI that required distributed
management, but I agree the protocol should support this.



    David> Janet community
    David> would be one such community, which could be used to replace
    David> the UK AMF. So a Janet hosted community should not be the
    David> base, but rather a specialised academic CoI on the base.

You're mixing several things here:

1) The base APC. We agree that the base APC should not be hosted, but
instead various parties will inject routes.

2) A Janet hosted community. This can be about anything and contain any
members.  The interesting point is that Janet injects the routes.

I think we agree that the protocol needs to support hosted communities.

3) a community that janet uses for organisations in the UK.  This could
be janet-hosted or otherwise.  i think we agree that this is distinct
from the base APC.


    David> So this brings up one other requirement. How can a researcher
    David> such as myself, add an SP to the Internet base community so
    David> that it can be subsequently configured to trust a specialised
    David> COI? I can do this now at the IP level, but not at the
    David> federation level.

Agreed.
the protocol supports this.
determine whether a SP is in an APC with respect to a given IDP is
somewhat different than determining whether that SP is in a COI with
respect to an IDP, but there are approaches for both.

    David> Having an administrator for a COI being the only person who
    David> can inject a new route/membership (I prefer to think about
    David> COI membership rather than route) into the Internet base COI
    David> is fine for small COIs, but is not scalable for very large
    David> scale COIs such as the base Internet CoI itself. 

I recommend that you think about it in terms of routes rather
than memberships.
Not all parties will have the same policies about who to trust, and
partitioning and other affects can cause the topology to appear
different at different points in the system even if policy is uniform.

Thinking of things as memberships seems like a convenient
simplification.  For myself, I've found that when I make that
simplification my reasoning tends to jump over details that actually
matter in terms of coming up with design or security analysis.


    David> There needs
    David> to be delegation of authority on a global scale to allow new
    David> members to be added to large scale COIs. So this should be
    David> built into the trust model from the outset.

if you replace COI with community I'll agree with you.
As i said, the use case for this is clear for APCs. It's not clear to me
that it is true for COIs, but I see no harm in supporting it.

    >> Why do you think that it's important that Painless's trust router
    >> believe that it's in a COI?  What's wrong with Painless being
    >> co-opted into a COI?

    David> Because you would not want me to co-opt you into my Down With
    David> Russia, Abolish Corporation Tax for Multinationals, and
    David> Polygamy for All COIs would you, without your agreement? 

The key in that statement is that it's your community.
If you want to make ridiculous statements about me, the problem comes in
when someone trusts those statements.
I'd recommend than no SPs use your community if you're going to do that
sort of thing.

non-technical measures such as law may give me recourse if I find your
statements objectionable rather than simply ridiculous.
The Internet has many ways for people to group things together already.
I see no harm in you creating a useless group that includes me.

I see significant harm in someone inappropriately trusting that
grouping.

it seems    David>  It seems reasonably harmless to me provided that Painlessl
    >> does not use an attribute release policy more liberal than what
    >> it would use with an unknown service.

    David> Well for privacy protection reasons it should not release any
    David> personal information to an unknown service. 

I agree that  people concerned about privacy should disclose little
(probably nothing) to an unknown service.
In this case, the IDP will almost certainly need to know about
communities it is part of.
i don't see why it needs to be the trust router rather than the IDP
though.

v2.23.0 | Report a Bug | By Email