[ietf-enroll] Charter

Paul Hoffman / VPNC paul.hoffman at vpnc.org
Thu May 1 11:32:52 EDT 2003 

I wasn't at the BOF, but this sounds useful and not difficult if we 
can keep religion about which of the three types of credentials is 
"better" for everyone.

Jim's proposed charter sounds good. Minor notes:

>When doing enrollment of a user against a service provider, three pieces
>of information need to be provided or created in order to support
>authentication of the user to the provider and to allow for additional
>security services to be provided any information exchanged.  These
>pieces of data are:
>
>1.	The name of the entity being enrolled,

I prefer "identity" over "name". An email address or an IP address is 
an identity, but not a name.

>2.	A piece of keying information to be used
>3.	A set of permissions for operations for the entity being
>enrolled.

I'm not sure why this is here. If I understand the list above, the 
protocol looks a bit like:

Alice: "I'm Alice, here is my keying material, and I want the set of 
permissions called A."
Bob: "I agree with your keying material, therefore I agree you are 
Alice and you get permissions A."

A different model that I think is even more common and expected would be:

Alice: "I'm Alice, here is my keying material; what permissions do I get?"
Bob: "I agree with your keying material, therefore I agree you are 
Alice, and I give you permissions A."

If people agree with that description, then #3 above is not needed.

>This group will create a model to be used in describing enrollment
>procedures and create a document for a framework how this is to be done.
>The group will then produce three documents profiling the use of the
>framework for the following cases:
>
>1.	A shared secret key
>2.	A base asymmetric key

I think that is supposed to be "A *bare* symmetric key", yes?

>3.	A bound asymmetric key (e.g. an X.509 certificate).
>
>Additionally, the group will consider the case of using a credit card
>profiling the framework.

I don't like limiting it to credit cards. How about "external, 
human-based trust (such as credit cards)"?

>Goals and Milestones:
>
>Sept 2003	First draft of model
>Dec 2003	Last call on model document
>Nov 2003	First draft of Framework document
>April 2004	Last call on module document
>March 2004	First draft of secret key profile
>March 2004	First draft of bare asymmetric key profile
>March 2004	First draft of bound asymmetric key profile
>Aug 2004	Last call on secret key profile
>Aug 2004	Last call on bare asymmetric key profile
>Aug 2004	Last call on bound asymmetric key profile

Looks good to me.

--Paul Hoffman, Director
--VPN Consortium

More information about the ietf-enroll mailing list