[ietf-enroll] Re: [New-work] WG Review: Credential and Provisioning (enroll)
Max Pritikin
pritikin at cisco.com
Thu Oct 30 13:22:20 EST 2003
The term 'model' is so overloaded that we run the risk of discussing
semantics. From this discussion I think we have both policy and process
models (if I understand the distinction between those correctly).
I'm thinking the TTI model is a _process_ model for secure enrollment
using an 'out-of-band' data exchange between any three entities. As a
process model it is well suited for use in developing a protocol for
general enrollment; which is a good goal.
TTI covers those cases where three entities are involved in an
enrollment (e.g. device-user-service, service-user-service,
retailer-device-consumer, bank-retailer-service,
"petitioner-introducer-registrar" etc).
The three entity introduction model depends on a prior enrollment
between the two sets of entities within the three entity model (e.g
prior associations between the petitioner-introducer and the
introducer-registrar).
Obviously these prior enrollments could be established by recursion -- a
prior TTI exchange. More interesting is when they are established via a
two entity 'weak' authentication mechanism. How weak this is depends on
how and when the mechanisms was applied -- which is determined by
policy. Thus we have a set of policy models that cover the different
types of two way enrollment ("leap of faith", "imprint" etc). I have a
difficult time seeing how a policy model can be used to write a
protocol.
>From these thoughts I offer these inlines,
On Thu, 2003-10-30 at 04:09, Pekka Nikander wrote:
> Max Pritikin wrote:
> > Inlined and trimmings where appropriate,
>
> Likewise. But executive summary first:
>
> I seem to have two remaining problems, once the so far discussed
> modifications to the charter have been made. The problems are
> the following:
>
> - The exact type or kind of the model, i.e., a security policy model,
> a process model, or what. I would like to see some
> characterization.
A process model covering enrollments involving three entities
(introduction) and a policy model discussing two entity ('weak'
authentication) enrollment.
> - The plurality and expressiveness of the model(s). IMHO, sticking
> to TTI is probably too restrictive. Instead of that, I would like
> to see a more generic model that grasps more of the semantics of the
> possible enrollment systems.
If we limit TTI to only a description of the three entity process model
then I agree that we'll need to discuss more fully the two entity policy
model(s). Until now I've considered the two entity policy statements to
be an integral part of TTI.
> >>>> ... I would explicitly mention that the permissions describe the
> >>>> set of services that the client is authorized to access. ...
> >>>
> >>> ... Where the set of services can be limited to actual enrollment.
> >>
> > Again I fall back to the TTI model for my conceptual framework. These
> > 'permissions and other parameters' are the result of the introduction
> > process (out-of-band or otherwise) and describe the credential that is
> > about to be generated. There are two aspects of this description, the
> > client (petitioner) needs to know how to recieve and handle the
> > credential (enrollment protocol, storage requirements, etc) and the
> > server (registrar) needs to know the parameters of the credential being
> > generated (lifetime, keysize, name, etc).
>
> This is clear to me. What is not clear is the expected semantics
> of the permissions/credentials. But perhaps that is so application
> specific that it should be left completely out of scope. But if we
> do so, the charter should read so, explicitly stating that the semantics
> of the permissions/credentials are out of scope, and that an enrollment
> method MAY create credentials that are invalid (of course it SHOULD NOT
> do so, but in some cases it MAY).
I've defined them as out of scope (other than that they are
transported). They are the information necessary for a two entity
_strongly_ authenticated enrollment. I've been thinking that there are
multiple protocols out there that provide this today.
> > I agree, the charter should be clearer on this point. I propose the TTI
> > model to be adopted but recognize that it needs more review on the list
> > before we take that step.
>
> I still think that the TTI models is not universal. While it
> is useful, sticking to it may leave out important scenarios.
>
> IMHO, we should scope the charter so that TTI is one model to
> be considered (perhaps the main one), but not the only one.
[snip]
Either that or TTI needs to be expanded to cover the two entity weak
authentication discussion in more detail (above I meant to type, "I
would propose..."). It strikes me that policy models are hard to turn
into protocols.
- Max
More information about the ietf-enroll
mailing list