AW: [ietf-enroll] Some thoughts about "imprinting" attracting lit tle attention
Tschofenig Hannes
hannes.tschofenig at siemens.com
Tue Apr 26 17:33:16 EDT 2005
hi thierry,
sorry for the late response.
thanks for sharing your thoughts with us. please find some comments below:
> Dear ietf_enroll participants:
>
> This post is about terminology and high level concepts
> in ietf_enroll.
>
> There are two separate driving factors for the
> ietf_enroll activities. Both are concerned with
> operational issues. Both are sensitive to operational
> efficiencies, closely related to operating cost
> concerns.
>
> The "service protocol provisioning" driving factor is
> the *complexities of configuring new protocols* that
> provide a service to an entity that deserve some
> authentication assurance. The main issue is dealing
> with the pre-existing infrastructure, closely related
> to the "power of the installed base" effect. Security
> is a concern, aiming at the re-use of pre-existing
> keying material, which is a wise strategy for to reduce
> human intervention for enrollment-time authentication.
> Operating hindrance is mainly created by the diversity
> of the installed base. An ietf_enroll model in this
> area would accommodate the installed base
> heterogeneity.
i like the description although i do not like the term 'service protocol
provisioning' since the term 'service' is also heavily overloaded.
>
> The "security association inception" driving factor is
> *security in the context of virtually no prior
> authenticated key material* that can be relied upon. It
> is a narrowly-defined security concern, yet an
> inescapable one when considering the security
> foundations of most crypto-based security schemes. For
> some survey of the field, see
> http://www.connotech.com/sakem_white_paper_06.htm.
i will take a look at your document.
thanks for the pointer.
> The
> operating cost concern is significant only when there
> are strong disincentives against using shortcuts in
> manual security procedures, which is not occurring in
> many context. In the absence of such disincentives,
> "security association inception" is merely "leap of
> faith."
sounds good to me as well.
>
> In the IETF62 discussion, the "service protocol
> provisioning" seemed equated to "bootstrapping" while
> "security association inception" was "imprinting".
> However, within the "bootstrapping" concept, someone
> (Eric R.) suggested a difference between bootstrapping
> with KDC (Key Distribution Centers) and bootstrapping
> with weak key material. I see the former falling into a
> special case of "service protocol provisioning," and
> the later being either side, depending on someone's
> driving factor, i.e. if you are satisfied to re-use
> (somehow) weak key material, then it's provisioning,
> but if you are worried about getting stronger key
> material at the outcome of enrollment procedures, then
> it's "security association inception."
actually i am not so sure about the term 'bootstrapping' anymore.
i think it was already misused in too many ways. i think we should see it is
key distribution.
the aspect of "weak" vs. "strong" keying material is also a very difficult
one.
>
> There isn't much activity in the "security association
> inception" arena. The same was said about imprinting in
> the IETF62 meeting. That's an empirical finding that I
> can confirm.
that was my impression as well. eric and pasi have sent a few references but
they are very similar.
potentially there aren't too many alternative approaches.
>
> I leave as an exercise the classification of ad-hoc
> mobile networking requirements ...
good point - also an area of big mess
>
> Hope it helps ...
thanks.
ciao
hannes
>
> --
>
> - Thierry Moreau
>
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada H2M 2A1
>
> Tel.: (514)385-5691
> Fax: (514)385-5900
>
> web site: http://www.connotech.com
> e-mail: thierry.moreau at connotech.com
>
>
> _______________________________________________
> ietf-enroll mailing list
> ietf-enroll at mit.edu
> https://mailman.mit.edu/mailman/listinfo/ietf-enroll
>
More information about the ietf-enroll
mailing list