[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Direct credential transfer

To: "Alfred Arsenault@xxxxxxxxxxxx" <aarsenault@xxxxxxxxx>, "Stephen Farrell@xxxxxxxxxxxx" <stephen.farrell@xxxxxxxxxxxx>
Subject: Direct credential transfer
From: John W Noerenberg II <jwn2@xxxxxxxxxxxx>
Date: Thu, 9 Aug 2001 11:34:31 +0100
Cc: ietf-sacred@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Title: Direct credential transfer

I know it's late in the game, but, as a believer in distributed systems, I am compelled to comment on a tacit assumption in the framework draft. It is assumed that servers necessarily are used for large communities of users. Sacred protocols certainly fit that situation. However, there is no reason to suppose they would be used only in that situation. For example, a credential server could be used for a small community - a family, a department of co-workers, a community service organization - that has an interest in preserving their cohesion and the privacy of their communication.

Sec 2.1 contrasts the use of a credential server with direct transfer of credentials, asserting that direct transfer is always a safe operation. The only time it is safe is when there are no intervening nodes through which the credentials pass. The specific example given provides several opportunities for the credential to be edited in ways Alice doesn't expect or intend.

With this in mind, I propose the language in 2.1 be modified along these lines (addition in bold):

However, the credential server approach has some potential

disadvantages, too:

1. It might be somewhat expensive to maintain and run the credential server, particularly if there are stringent requirements on availability and reliability of the server. This is particularly true for servers which are used for a large community of users. When the server server is intended for a small community, the complexity and cost would be much less.

The following paragraph is problematic.

For example, consider the case where Mimi sends a message from her
wireless phone containing the credentials in question, and retrieves

   it using her two-way pager. In getting from one place to another,
   the bits of the message cross the wireless phone network to a base
   station. These bits are likely transferred over the wired phone
   network to a message server run by the wireless phone operator, and
   are transferred from there over the Internet to a message server run
   by the paging operator. From the paging operator they are
   transferred to a base station and then finally to Mimi's pager.
   Certainly, there are devices other than the original wireless phone
   and ultimate pager that are involved in the credential transfer, in
   the sense that they transmit bits from one place to another.
   However, to all devices except the pager and the wireless phone,
   what is being transferred is an un-interpreted and unprocessed set

of bits. No security-related decisions are made, and no actions are

taken based on the fact that this message contains credentials, at

any of the intermediate nodes. They exist simply to forward bits.
Thus, we consider this to be a "direct" transfer of credentials.

   Solutions involving the direct transfer of credentials from one
   device to another are potentially somewhat more complex than the
   credential-server approach, owing to the large number of different
   devices and formats that may have to be supported. Complexity is
   also added due to the fact that each device may in turn have to
   exhibit the behavior of both a client and a server.

Better might be:

For example, consider the case where Mimi sends a message from her wireless phone containing the credentials in question, and retrieves it using her two-way pager. As long as Mimi's phone and pager can communicate directly, that is without the use of any network connections, credentials can be safely transferred.

Unless the direct transfer of credentials between devices follows a uniform methodology regardless of the type of devices, direct transfer would be complicated, or even prohibited because a consistent method and representation is not used. This presumes at least some devices must be both a client and server for the exchange of credentials.

These ideas may have further implications for the requirements. For the sake of brevity that potential should be pursued separately.

--

john noerenberg
jwn2@xxxxxxxxxxxx
--------------------------------------------------------------------------
Peace of mind isn't at all superficial, really. It's the whole thing.
That which produces it is good maintenance; that which disturbs it
is poor maintenance.
-- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974
--------------------------------------------------------------------------

Follow-Ups:
- Re: Direct credential transfer
  - From: Stephen Farrell

References:
- Agenda for SACRED in London
  - From: Magnus Nystrom
- Re: Agenda for SACRED in London
  - From: Dale Gustafson

Prev by Date: acred-protocol-beep-pdm-00 Sec 2 ref
Next by Date: Re: acred-protocol-beep-pdm-00 Sec 2 ref
Previous by thread: Re: Agenda for SACRED in London
Next by thread: Re: Direct credential transfer
Index(es):
- Date
- Thread