Re: Adding revised identities to IKEv2

[Stephen Kent <kent@bbn.com>]

At 5:42 PM -0500 11/12/02, Uri Blumenthal wrote:
>Stephen Kent wrote:
>>  well, access control is an intrinsic feature of IPsec, so we may
>>  disagree on that point. also, I don't believe that trust and
>>  authorization are really linked as tightly as you suggest.
>
>Well... There's not much of authorization or trust on IP level,
>I think. So the issue is moot for IPsec. But on higher layers?
>
>Say a request (not a packet!) comes from "John Doe". I
>authenticated it and am certain it came form him. Now he
>is requesting {put your favorite here - a $1M loan, a
>peek through the company strategy document, a "format c:"
>operation, whatever :-}.
>
>Should the request be granted? How do I decide, based on what?
>This is the authorization issue to me. I don't believe it
>belongs to IP level.

In your example I agree that the authorization is an application 
layer issues, not an IP layer issue.

>
>
>>  the whole
>>  notion of "trust management" that has arisen over the last few years
>>  seems to be largely a function of a view that does not acknowledge
>>  the existence of authoritative sources of authentication data. in the
>>  physical world we have many such sources, and in cyberspace we have
>>  several predominant ones, the DNS being the most common example.
>
>I think it came from the desire to proceed from authentication to the
>purpose for which the authentication was carried on: what do I do with
>this request, now that I know the identity of its initiator?

authorization does that, but the role of "trust" in authorization 
seems questionable at this layer, which is the focus of this WG's 
discussion.

>And again to repeat myself - in IPsec the decision (probably) is very
>trivial: if I recognized the key and authenticated the traffic, I can
>allow it to enter my box, the rest is an application-level problem.

I thik we generally agree here.

>
>>  are you looking for the SPKI WG mailing list?
>>
>>  I think it died along with the WG :-)
>
>SPKI? What's that? (:-)
>
>But seriously, how do you identify a key on a borrowed laptop roaming
>through a foreign domain? [not by IP address and probably not by FQDN]

First, I don't want to identify keys in most cases (I don't see them 
as principals), and this would be one of them.

If I am responsible for access control for some resources, I want to 
know who's requesting access, and for that I want a name or at least 
an organizational affiliation.  So, the issue here might be how the 
user manages to assert his identity when he is using the borrowed 
laptop, in a fashion that minimizes the risk to his secrets. (The 
issue also might be whether I want to let the known, authorized user 
into my environment given that he is using a borrowed laptop ...) 
There are various ways to address the problem, depending on the 
technology available to the user, whether the user was prepared to 
employ a borrowed laptop, etc. Use of crypto tokens, one-time keys, 
etc. all come to mind and all have limitations based on the 
circumstances.

Of course, as a Mac user I rarely have this problem because I would 
not want to borrow a PC laptop anyway :-)

Steve