[ietf-enroll] next steps for enroll

Jim Schaad jimsch at nwlink.com
Mon Nov 8 10:24:40 EST 2004 

Gentlemen,

I read this document, abet slowly trying to work around other commitments,
and I feel that this document or one or two similar documents need to be
adopted by the group in order to give good guidence on how the models should
be viewed and used.

Lets start with a discussion of section 3.1, a supposedly simple case and
see what happens.

This skips over many of the details that we need to look at in order for a
complete analysis to be done.  First there are three different data flow
models that can be considered to have occurred depending on how one squints
at what is happening.

1.  There is an imprint data flow operation occuring.  This is between the
manufacturer and the device being manufactured.  Here I am mapping the
manufacturer to R and the device to P.  This comes up with some questions
that need to be looked at (and thus should be in the model document?).

  A) Is the secret material being generated on P or R.  Depending on the
type of material being generated this means there must be statements about
how R keeps and maintains the secret.  Also there needs to be some
statements about how R makes sure that the same info is not placed on two
devices.  (Conversely there is an issue of timeliness and randomization if
the device generates the secret.)

  B) Can P be imprinted more than one time, by more than one R?


2.  There is a courier data flow operation occuring.  This is between the
manufacturer and the end registration agent.  This may actually be a series
of courier agents rather than a single agent.  Now you can look at the
implications of being in a courier data flow.

3.  One could map the data flow as central authority (one directional flow
outwards) if one assumes that the introducer is the manufacturer.  If one
looks at  using this as the overview of the data flow, then one needs to
talk about how one needs to look at combining the data flow models.  There
really is are multiple couriers between the manufacturer and the
registration agent and this needs to be discussed even if one uses this data
model.

Finally there needs to be discussion on 1) type of information being used,
2) how discovery of R is done by P.


Next section 3.2 - This maps to either the courier or mediated data flow
depending on wheither you are looking a unidirectional or bi-directional
data flow.  The issues that you have brought up need to be covered as issues
in the enroll document wrt the courier model.  Basically there needs to be
good restrictions on the data that flows in order to make the system work.

Next section 3.3 - This is not establishing a secret over an insecure
network.  This is exactly the same as the section 3.2 data flow.  I.e. you
are either doing mediated or courier data flow with the fingerprint being
the data that is being transported OOB.


Jim

More information about the ietf-enroll mailing list