Re: [Ace] Charter Update
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Tue, 14 January 2014 13:16 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7ED1AE0D9 for <ace@ietfa.amsl.com>; Tue, 14 Jan 2014 05:16:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.454
X-Spam-Level:
X-Spam-Status: No, score=-1.454 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-WrsRxfz8ti for <ace@ietfa.amsl.com>; Tue, 14 Jan 2014 05:16:31 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id BFAF01AE0D4 for <ace@ietf.org>; Tue, 14 Jan 2014 05:16:30 -0800 (PST)
Received: from 3capp-gmx-bs15.server.lan ([172.19.170.67]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MNwO5-1W177I0JNz-007Xqk for <ace@ietf.org>; Tue, 14 Jan 2014 14:16:19 +0100
Received: from [217.140.96.21] by 3capp-gmx-bs15.server.lan with HTTP; Tue Jan 14 14:16:19 CET 2014
MIME-Version: 1.0
Message-ID: <trinity-f8be05c2-1aee-429d-bb07-74035e5bf64b-1389705378861@3capp-gmx-bs15>
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: Stefanie Gerdes <gerdes@tzi.de>
Content-Type: text/html; charset="UTF-8"
Date: Tue, 14 Jan 2014 14:16:19 +0100
Importance: normal
Sensitivity: Normal
In-Reply-To: <52D4F6AD.3060101@tzi.de>
References: <52D4F6AD.3060101@tzi.de>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:yY4IWO3DS1IxFJ1F5Cm0nsPiMl8bWnAD8anlYMyYfzN HN30HvIc2v0UmROMTiGcmZ+kRZ6GSR0L9aEUAIZpmeIzTv/kOQ WAo9HxIxfIQbHn3ItGliInmC09iAyrFvw06vp1WfjWYTea+0B6 UNj1Y/z8PZOfrgtJ+bxhi7zp7B7MCYbpqv+reF5c+LXHEYoW88 B/UA2GcF281P/dVa1DEJPiEC2a16QGun02u+8/MDcCrIIP6J+u vW3gQxVR0hcEKx87shs4/CbzbD+S4OPx/IUUOzZ4BKlxTu9YMB OtPnxc=
Cc: Bert Greevenbosch <Bert.Greevenbosch@huawei.com>, "\"Göran Selander\"" <goran.selander@ericsson.com>, Ludwig Seitz <ludwig@sics.se>, Likepeng <likepeng@huawei.com>, ace@ietf.org
Subject: Re: [Ace] Charter Update
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 13:16:34 -0000
Hannes
Von: "Stefanie Gerdes" <gerdes@tzi.de>
An: ace@ietf.org
Cc: "Bert Greevenbosch" <Bert.Greevenbosch@huawei.com>, "Göran Selander" <goran.selander@ericsson.com>, "Ludwig Seitz" <ludwig@sics.se>, Likepeng <likepeng@huawei.com>
Betreff: [Ace] Charter Update
We updated the draft charter according to helpful input from Ludwig
Seitz and Göran Selander. I hope this improves the readability of the
charter and clarifies the scope of ACE.
We also added an item to the task list for documenting the applicability
of various security mechanisms to address for example symmetric vs
public key approaches.
Please feel free to provide further comment.
Best regards,
Steffi
Draft Charter V0.1- Authentication and Authorization for Constrained
Environment (ACE)
The CoAP (Constrained Application Protocol) is a light-weight
application layer protocol, especially suitable for applications such as
smart energy, smart home, building automation, remote patient monitoring
etc. Due to the nature of these applications, including a critical,
unattended infrastructure and usage in the personal sphere, security and
privacy protection are critical components.
There are certain, necessary security functions that constrained
devices cannot readily perform due to resource constraints. In
particular, constrained devices often have no or very limited user
interfaces. While authentication is well understood, at least for
communication security, there are only unsufficient means for
authenticated authorization. Especially cases where pre-provisioned
ACLs scale badly or where more sophisticated identity and access
management is needed are not covered. This includes the case where it
is infeasible for a constrained server to perform the authorization
decision and thus needs access to externally generated authorization
information to be able to enforce the decision. Authentication is
considered in this context as it is needed as a prerequisite to
performing authorization, including the authorization to change the
authorization state.
The ACE WG aims to enable authorized access to resources in constrained
environments, using CoAP and leveraging DTLS security where possible.
Constrained devices will thus be enabled to authenticate operations from
other (constrained or less-constrained) devices, to communicate securely
with them and to verify their individual authorization to access
specific resources. To achieve this, ACE will be able to employ
additional less-constrained devices in order to relieve the constrained
nodes from complex security related tasks (e.g. managing authorization
policies and a large number of keys).
The ACE WG has the following tasks:
Document the use cases and high-level requirements for secured
communication between constrained devices. (This task is pursued as a
means to the other ends, not as an end in itself.)
Flesh out profiles for certificates used for authenticated authorization.
Document the applicability of the various security mechanisms with
respect to resource usage (RAM, message round trips, power consumption
etc.).
Define a mechanism for authenticated and protected transfer of
authorization information suitable for constrained device to constrained
device communication.
Define formats for access tokens and for authorization information
that are suitable for constrained devices.
Define bootstrapping for authorization information using the Resource
Directory (see
http://tools.ietf.org/html/draft-ietf-core-resource-directory" target="_blank" rel="nofollow">http://tools.ietf.org/html/draft-ietf-core-resource-directory).
Existing work:
Use Cases:
http://tools.ietf.org/id/draft-garcia-core-security" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-garcia-core-security
http://tools.ietf.org/id/draft-greevenbosch-core-authreq" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-greevenbosch-core-authreq
http://tools.ietf.org/id/draft-seitz-core-sec-usecases" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-seitz-core-sec-usecases
Solutions:
http://tools.ietf.org/id/draft-gerdes-core-dcaf-authorize" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-gerdes-core-dcaf-authorize
http://tools.ietf.org/id/draft-kang-core-secure-reconfiguration" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-kang-core-secure-reconfiguration
http://tools.ietf.org/id/draft-selander-core-access-control" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-selander-core-access-control
http://tools.ietf.org/id/draft-zhu-core-groupauth" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-zhu-core-groupauth
http://tools.ietf.org/id/draft-pporamba-dtls-certkey" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-pporamba-dtls-certkey
http://tools.ietf.org/id/draft-schmitt-two-way-authentication-for-iot" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-schmitt-two-way-authentication-for-iot
http://tools.ietf.org/id/draft-seitz-core-security-modes" target="_blank" rel="nofollow">http://tools.ietf.org/id/draft-seitz-core-security-modes
http://tools.ietf.org/html/draft-sarikaya-ace-secure-bootstrapping" target="_blank" rel="nofollow">http://tools.ietf.org/html/draft-sarikaya-ace-secure-bootstrapping
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/ace
- [Ace] Charter Update Stefanie Gerdes
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Hannes Tschofenig
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Olaf Bergmann
- Re: [Ace] Charter Update Likepeng
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Olaf Bergmann
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Olaf Bergmann
- Re: [Ace] Charter Update Göran Selander
- Re: [Ace] Charter Update Stefanie Gerdes
- Re: [Ace] Charter Update Göran Selander