AW: [ietf-enroll] Some thoughts about "imprinting" attracting lit tle attention

[Tschofenig Hannes]

hi thierry, 

sorry for the late response. 
thanks for sharing your thoughts with us. please find some comments below: 

> Dear ietf_enroll participants:
> 
> This post is about terminology and high level concepts
> in ietf_enroll.
> 
> There are two separate driving factors for the
> ietf_enroll activities. Both are concerned with
> operational issues. Both are sensitive to operational
> efficiencies, closely related to operating cost
> concerns.
> 
> The "service protocol provisioning" driving factor is
> the *complexities of configuring new protocols* that
> provide a service to an entity that deserve some
> authentication assurance. The main issue is dealing
> with the pre-existing infrastructure, closely related
> to the "power of the installed base" effect. Security
> is a concern, aiming at the re-use of pre-existing
> keying material, which is a wise strategy for to reduce
> human intervention for enrollment-time authentication.
> Operating hindrance is mainly created by the diversity
> of the installed base. An ietf_enroll model in this
> area would accommodate the installed base
> heterogeneity.

i like the description although i do not like the term 'service protocol
provisioning' since the term 'service' is also heavily overloaded. 

> 
> The "security association inception" driving factor is
> *security in the context of virtually no prior
> authenticated key material* that can be relied upon. It
> is a narrowly-defined security concern, yet an
> inescapable one when considering the security
> foundations of most crypto-based security schemes. For
> some survey of the field, see
> http://www.connotech.com/sakem_white_paper_06.htm.

i will take a look at your document. 
thanks for the pointer. 

> The
> operating cost concern is significant only when there
> are strong disincentives against using shortcuts in
> manual security procedures, which is not occurring in
> many context. In the absence of such disincentives,
> "security association inception" is merely "leap of
> faith."

sounds good to me as well.  

> 
> In the IETF62 discussion, the "service protocol
> provisioning" seemed equated to "bootstrapping" while
> "security association inception" was "imprinting".
> However, within the "bootstrapping" concept, someone
> (Eric R.) suggested a difference between bootstrapping
> with KDC (Key Distribution Centers) and bootstrapping
> with weak key material. I see the former falling into a
> special case of "service protocol provisioning," and
> the later being either side, depending on someone's
> driving factor, i.e. if you are satisfied to re-use
> (somehow) weak key material, then it's provisioning,
> but if you are worried about getting stronger key
> material at the outcome of enrollment procedures, then
> it's "security association inception."

actually i am not so sure about the term 'bootstrapping' anymore. 
i think it was already misused in too many ways. i think we should see it is
key distribution. 
the aspect of "weak" vs. "strong" keying material is also a very difficult
one. 

> 
> There isn't much activity in the "security association
> inception" arena. The same was said about imprinting in
> the IETF62 meeting. That's an empirical finding that I
> can confirm.

that was my impression as well. eric and pasi have sent a few references but
they are very similar. 
potentially there aren't too many alternative approaches. 

> 
> I leave as an exercise the classification of ad-hoc
> mobile networking requirements ...
good point - also an area of big mess
> 
> Hope it helps ...
thanks. 

ciao
hannes

> 
> -- 
> 
> - Thierry Moreau
> 
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada   H2M 2A1
> 
> Tel.: (514)385-5691
> Fax:  (514)385-5900
> 
> web site: http://www.connotech.com
> e-mail: thierry.moreau at connotech.com
> 
> 
> _______________________________________________
> ietf-enroll mailing list
> ietf-enroll at mit.edu
> https://mailman.mit.edu/mailman/listinfo/ietf-enroll
>