[vwrap] auth draft todo..
Meadhbh Hamrick <ohmeadhbh@gmail.com> Wed, 07 July 2010 19:09 UTC
Return-Path: <ohmeadhbh@gmail.com>
X-Original-To: vwrap@core3.amsl.com
Delivered-To: vwrap@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 43E783A684C for <vwrap@core3.amsl.com>;
Wed, 7 Jul 2010 12:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.649,
BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BPFDR7u0ZRA for
<vwrap@core3.amsl.com>; Wed, 7 Jul 2010 12:09:44 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com
[209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id 822083A6836 for
<vwrap@ietf.org>; Wed, 7 Jul 2010 12:09:44 -0700 (PDT)
Received: by qyk1 with SMTP id 1so2558007qyk.10 for <vwrap@ietf.org>;
Wed, 07 Jul 2010 12:09:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:received:mime-version:received:from:date
:message-id:subject:to:content-type;
bh=TNbCSGtQtTIEf50ghTaWOhANyWnoc910ZfboBOJ+XkY=;
b=HJNoYWtNaZX5ZUcg9usaWfObeKHHF4bGIeQXUKDwBnNe91kegxqNuVG9VGfTQOwiAU
a2VuImo+Q+pzELR3vxcSGiudm01VTmx/N0Ftk+FmUBGWQiA6qYHMxnQ1NhfP6moXE6TD
kBcLvhSyAqHdyNBB8gSVM6VKigYcY/fSZsKBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:from:date:message-id:subject:to:content-type;
b=JmGUZg948CIL9rMCXbMuKpPiwHu2LV8BvDKmjjxoawZmkaB5wE0zkwL0AhYZWAHmrp
v7MVlzaEF7ccMneDF2SKAHqNdkwnqReIeazmj8nyj/4e2YOspmUZBN3OGPxNXFcipZoZ
Go1mV7KUBrXd4ySyqGXvPPOxjn28o+INSvTkU=
Received: by 10.224.65.89 with SMTP id h25mr3837803qai.163.1278529783194;
Wed, 07 Jul 2010 12:09:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.185.73 with HTTP; Wed, 7 Jul 2010 12:09:23 -0700 (PDT)
From: Meadhbh Hamrick <ohmeadhbh@gmail.com>
Date: Wed, 7 Jul 2010 12:09:23 -0700
Message-ID: <AANLkTinQsrKaQRG5bxNQ0BpdCvzLOOUhE6gsZ90Gujk_@mail.gmail.com>
To: vwrap@ietf.org
Content-Type: multipart/alternative; boundary=00c09f82c9b38fed82048ad0e93d
Subject: [vwrap] auth draft todo..
X-BeenThere: vwrap@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual World Region Agent Protocol - IETF working group
<vwrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/vwrap>,
<mailto:vwrap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vwrap>
List-Post: <mailto:vwrap@ietf.org>
List-Help: <mailto:vwrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vwrap>,
<mailto:vwrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 19:09:46 -0000
so... is it my imagination or is the auth draft starting to come together? but there are still a few todo's left. i'm going to be working on them in the near future, and will publish another draft after the f2f later this month. (did we decide if there was going to be a VWRAP f2f this time around???) anyway... here's a list of things left to do on the auth draft: 1. add trust model section - mea culpa. i should have finished this earlier. expect another email about the trust model. the linden grid, opensim grid + services, standalone and tourist models are diverse enough, i want to make sure that any trust model documentation supports each of these use cases. 2. make SHA384 an option for authenticators ??? - so if you google "suite b", you can read about the two hash functions that the NSA thinks are copacetic for non-top-secret but sensitive government use. these include SHA-256 and SHA-384. right now the draft only says SHA-256. CNSSP-15 tells us that SHA-384 is really only there to generate parameters for 384 bit ECC crypto primitives. but i wonder if there's anyone out there in fed-space that would require SHA-384 for virtual worlds use? if anyone out there knows of such a requirement, please let me know and i'll add SHA-384 as an option to this draft. otherwise, i recommend we support ONLY SHA256 until we're all comfortable with it's implementation and deployment. 3. better description of the difference between transport and application layer authentication - okay... this is something that kinda throws people, so lemme mention it here. i would also like to write a blurb about it in the next draft of the auth spec. ultimately what we're trying to do with user auth is for a client to demonstrate their authorization to use sensitive data regarding a user's virtual world agent. this usually involves authentication; having the client prove they're in possession of a secret shared between the client and the auth server. so far, so good, right? i mean. no one disputes this, right? where things get interesting is when we start to rely on transport-based authentication. HTTP basic and digest auth identifies and authenticates a user at the HTTP transport layer. but what if we wanted to carry some sensitive payload over XMPP or RTP? we probably shouldn't rely on HTTP digest auth in those cases (and besides, HTTP digest auth is essentially broken unless carried over HTTPS.) and speaking of TLS, what are we authenticating when we authenticate a cert chain? you're not authenticating an authentication service, you're authenticating the host it's running on. this is usually close enough, but i'm nervous about when services move into the cloud and start migrating around to different hosts. (besides TLS is usually only configured to authenticate the server, not the client.) in the "real world" client auth in TLS usually comes from doing HTTP auth or some app layer something-or-other (like possession of session cookie) over HTTP over TLS. or you can use client certificates. i love client certs, but then again i used to work for a company that sold a cert issuing system. while i would love to sell you a PKI system, i'll be the first to admit, it's not the be-all, end-all to authentication that some peeps have said it is in the last couple of decades. besides, client certs are generally used to authenticate the client's host. so when the user moves to a new machine, no more TLS client cert auth. unless they're using smart cards. don't get me started about smart cards. we're not requiring people to use smart cards. and then there's the issue of proxy authentication. a few of us use the interwebs with proxies you have to provide credentials to. do a google search on this! it's true! actually.. i think a lot of HTTP proxy authentication is used in situations where services are composed over primitive service busses and use proxy auth as a first line of defense or as a way to integrate with legacy password / username systems. but i guess what i'm saying is... it's entirely possible we'll be required to authenticate a client to an authentication service in an environment where HTTP(S) based auth is not appropriate. in these cases, we'll probably find that the VWRAP message traffic is going over infrastructure where the transport auth is used for some other purpose, or it's not available to the developer (think of a web app fronted by a HTTPS accellerator that strips out TLS and HTTP auth info.) and this is why we have authentication info INSIDE the application layer message flows. 'cause you're authenticating an application component (the client) with another application component (the auth server.) sometimes you get lucky and you can re-use your transport auth, but not always. and this is kind of what i wanted to put in the draft... "sometimes you can use previously established transport based authentication, but sometimes you can't." -cheers -meadhbh -- meadhbh hamrick * it's pronounced "maeve" @OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com
- [vwrap] auth draft todo.. Meadhbh Hamrick