headers
Stuart Vaeth | 2 Nov 2006 18:42
Favicon

Provisioning protocol comparison matrix

All,

Attached is a chart that the OATH provisioning group has put together with input from RSA to provide a high level comparison of the two input protocol documents submitted for the BOF meeting (CT-KIP and DSKPP), in relation to a set of functional requirements that we believe such a key provisioning protocol should meet.

This is a fairly high level document intended to identify areas where the protocols are the same or differ, as basis for further technical discussion to produce a single IETF symmetric key provisioning protocol standard. The footnotes are intended to provide some further detail/explanation where needed as to how the protocol supports a given requirement.

Regards,

Stu

 

Stuart Vaeth

Chief Security Officer

Diversinet Corp.

781-354-7038

svaeth-+/OggRDFqlVt1OO0OYaSVA@public.gmane.org

www.diversinet.com

 

Diversinet MobiSecure Token
Protects online identities and transactions via mobile based authentication

______________________________________________
Notice to Recipient: The information in this message is meant only for the intended recipient of the transmission and may contain confidential or privileged information. Any copying, retransmittal, taking of action in reliance on, or other use of the information in this communication by persons other than the addressees is prohibited. If you received this email in error, please immediately notify us immediately and please delete or destroy all copies of this message. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors. Thank you.

 

Attachment (provisioning protocol compare_2nov06.doc): application/msword, 68 KiB
<div>

<div class="Section1">

<p class="MsoNormal"><span>All,<p></p></span></p>

<p class="MsoNormal"><span>Attached is a chart that the OATH provisioning group has put
together with input from RSA to provide a high level comparison of the two
input protocol documents submitted for the BOF meeting (CT-KIP and DSKPP), in
relation to a set of functional requirements that we believe such a key
provisioning protocol should meet.<p></p></span></p>

<p class="MsoNormal"><span>This is a fairly high level document intended to identify
areas where the protocols are the same or differ, as basis for further
technical discussion to produce a single IETF symmetric key provisioning protocol
standard. The footnotes are intended to provide some further detail/explanation
where needed as to how the protocol supports a given requirement.<p></p></span></p>

<p class="MsoNormal"><span>Regards,<p></p></span></p>

<p class="MsoNormal"><span>Stu<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Stuart Vaeth</span><p></p></p>

<p class="MsoNormal"><span>Chief Security Officer</span><p></p></p>

<p class="MsoNormal"><span>Diversinet Corp.</span><p></p></p>

<p class="MsoNormal"><span>781-354-7038</span><p></p></p>

<p class="MsoNormal"><span><a href="mailto:svaeth@...">svaeth@...</a></span><p></p></p>

<p class="MsoNormal"><span><a href="http://www.diversinet.com">www.diversinet.com</a></span><p></p></p>

<p class="MsoNormal"><span>&nbsp;<p></p></span></p>

<p class="MsoNormal"><span>Diversinet MobiSecure Token</span> <span><br></span><span>Protects online identities and transactions via mobile based
authentication</span><span> <span><br><br></span>______________________________________________</span><span><br></span><span>Notice to Recipient: The information in this message is meant only for
the intended recipient of the transmission and may contain confidential or
privileged information. Any copying, retransmittal, taking of action in
reliance on, or other use of the information in this communication by persons
other than the addressees is prohibited. If you received this email in error,
please immediately notify us immediately and please delete or destroy all
copies of this message. This message may have been altered without your or our
knowledge and the sender does not accept any liability for any errors. Thank
you.</span><p></p></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

</div>

</div>
Permalink | Reply | 0 comments |
headers
Hallam-Baker, Phillip | 6 Nov 2006 16:25
Picon
Favicon

Dinner on Wednesday

If people are interested in having dinner together on Wednesday night please RSVP me by tommorow and I will book a table in the gaslight district.
<div>
<div><span class="092482415-06112006">If people are 
interested in having dinner together on Wednesday night please RSVP me by 
tommorow&nbsp;and I will book a table in the gaslight 
district.</span></div>
</div>
Permalink | Reply | 0 comments |
headers
Hallam-Baker, Phillip | 8 Nov 2006 19:38
Picon
Favicon

Dinner tonight

For those of you who have RSVP'd for the dinner
 
Lets meet at the noticeboard at 7:40, after the plenary session lets out. There is an IETF chartered bus to the gaslight district which has a large number of very good restaurants. I have the following RSVPs:
 
Russ Housley
Stuart Vaeth
Susan Cannon
Mingliang Pei
Andrea Doherty
Phill Hallam-Baker
 
I am just about to talk to the concierge. Will send an update with the name of the Restaurant as soon as I do.
 
 
<div>
<div><span class="043133018-08112006">For those of you who 
have RSVP'd for the dinner</span></div>
<div>
<span class="043133018-08112006"></span>&nbsp;</div>
<div><span class="043133018-08112006">Lets meet at the 
noticeboard at 7:40, after the plenary session lets out. There is an IETF 
chartered bus to the gaslight district which has a large number of very good 
restaurants. I have the following RSVPs:</span></div>
<div>
<span class="043133018-08112006"></span>&nbsp;</div>
<div><span class="043133018-08112006">Russ 
Housley</span></div>
<div><span class="043133018-08112006">Stuart 
Vaeth</span></div>
<div><span class="043133018-08112006">Susan 
Cannon</span></div>
<div><span class="043133018-08112006">Mingliang 
Pei</span></div>
<div><span class="043133018-08112006">Andrea 
Doherty</span></div>
<div><span class="043133018-08112006">Phill 
Hallam-Baker</span></div>
<div>
<span class="043133018-08112006"></span>&nbsp;</div>
<div><span class="043133018-08112006">I am just about to 
talk to the concierge. Will send an update with the name of the Restaurant as 
soon as I do.</span></div>
<div>
<span class="043133018-08112006"></span>&nbsp;</div>
<div>
<span class="043133018-08112006"></span>&nbsp;</div>
</div>
Permalink | Reply | 0 comments |
headers
Hallam-Baker, Phillip | 9 Nov 2006 00:25
Picon
Favicon

RE: Dinner tonight

I have a reservation fo 7 at Greystone 658 on 5th ave in the gaslight district
 
Concierge says ist steak and seafood type

From: Hallam-Baker, Phillip
Sent: Wednesday, November 08, 2006 1:39 PM
To: 'ietf-keyprov-RVczLawcDSlg9hUCZPvPmw@public.gmane.org'
Cc: 'Russ Housley'
Subject: Dinner tonight

For those of you who have RSVP'd for the dinner
 
Lets meet at the noticeboard at 7:40, after the plenary session lets out. There is an IETF chartered bus to the gaslight district which has a large number of very good restaurants. I have the following RSVPs:
 
Russ Housley
Stuart Vaeth
Susan Cannon
Mingliang Pei
Andrea Doherty
Phill Hallam-Baker
 
I am just about to talk to the concierge. Will send an update with the name of the Restaurant as soon as I do.
 
 
<div>
<div dir="ltr" align="left"><span class="484521723-08112006">I have a reservation fo 7 at Greystone 658 on 5th ave in 
the gaslight district</span></div>
<div dir="ltr" align="left">
<span class="484521723-08112006"></span>&nbsp;</div>
<div dir="ltr" align="left"><span class="484521723-08112006">Concierge says ist steak and seafood 
type</span></div>
<br><blockquote dir="ltr">
  <div class="OutlookMessageHeader" lang="en-us" dir="ltr" align="left">
  From: Hallam-Baker, Phillip <br>Sent: 
  Wednesday, November 08, 2006 1:39 PM<br>To: 
  'ietf-keyprov@...'<br>Cc: 'Russ Housley'<br>Subject: 
  Dinner tonight<br><br>
</div>
  <div></div>
  <div><span class="043133018-08112006">For those of you 
  who have RSVP'd for the dinner</span></div>
  <div>
<span class="043133018-08112006"></span>&nbsp;</div>
  <div><span class="043133018-08112006">Lets meet at the 
  noticeboard at 7:40, after the plenary session lets out. There is an IETF 
  chartered bus to the gaslight district which has a large number of very good 
  restaurants. I have the following RSVPs:</span></div>
  <div>
<span class="043133018-08112006"></span>&nbsp;</div>
  <div><span class="043133018-08112006">Russ 
  Housley</span></div>
  <div><span class="043133018-08112006">Stuart 
  Vaeth</span></div>
  <div><span class="043133018-08112006">Susan 
  Cannon</span></div>
  <div><span class="043133018-08112006">Mingliang 
  Pei</span></div>
  <div><span class="043133018-08112006">Andrea 
  Doherty</span></div>
  <div><span class="043133018-08112006">Phill 
  Hallam-Baker</span></div>
  <div>
<span class="043133018-08112006"></span>&nbsp;</div>
  <div><span class="043133018-08112006">I am just about to 
  talk to the concierge. Will send an update with the name of the Restaurant as 
  soon as I do.</span></div>
  <div>
<span class="043133018-08112006"></span>&nbsp;</div>
  <div>
<span class="043133018-08112006"></span>&nbsp;</div>
</blockquote>
</div>
Permalink | Reply | 0 comments |
headers
Shoichi Sakane | 9 Nov 2006 21:42
Favicon

for small devices

Hi,

I have a request in a viewpoint of very small devices.
Please make a provisioning protocol compact as much as possible.
At least, for a very small device, which is memory limitation,
CPU power comsumption, bandwidth limitation, battery consumption,
the packet size becomes a serious problem.
For example, I don't know how XML format is important for such protocol.
However, I don't exactly understand what the client device of this WG is.
So this request might not be suitable for this WG.
Permalink | Reply | 0 comments |
headers
Hallam-Baker, Phillip | 10 Nov 2006 22:22
Picon
Favicon

Next Steps after the BOF

The next step that we need to take is to reach consensus on the charter with a view to getting it to an IETF last call via the IESG.

Thanksgiving is closing fast so please raise concerns now rather than waiting until we get to last call here.

As discussed at the meeting we are not going to produce an applicability statement now or do technical work until we have a charter.


The charter text was:

Current developments in inter-domain Shared Symmetric Key tokens and inter-domain use of Kerberos have highlighted the need for a standard protocol for provisioning symmetric keys.

The need for provisioning protocols in PKI architectures has been recognized for some time. Although the existence and architecture of these protocols provides a feasibility proof for the KEYPROV, assumptions built into these protocols make them inapplicable to symmetric keys.

In particular the ability to provision symmetric keys and associated attributes dynamically to already issued devices such as cell phones and USB drives is highly desirable. The working group will develop the necessary protocols and data formats required to support provisioning and management of symmetric key authentication tokens, both proprietary and standards based.

Deliverables:

  • Requirements and use cases
  • Protocol specification
  • Key Container specification
<div>
<p>The next step that we need to take is to reach 
consensus on the charter with a view to getting it to an IETF last call via the 
IESG.<br><br>Thanksgiving is closing fast so please raise concerns now rather 
than waiting until we get to last call here.<br><br>As discussed at the meeting 
we are not going to produce an applicability statement now or do technical work 
until we have a charter.<br><br><br>The charter text was:<br><br>Current 
developments in inter-domain Shared Symmetric Key tokens and inter-domain use of 
Kerberos have highlighted the need for a standard protocol for provisioning 
symmetric keys.</p>
<p>The need for provisioning protocols in PKI 
architectures has been recognized for some time. Although the existence and 
architecture of these protocols provides a feasibility proof for the KEYPROV, 
assumptions built into these protocols make them inapplicable to symmetric 
keys.</p>
<p>In particular the ability to provision symmetric keys 
and associated attributes dynamically to already issued devices such as cell 
phones and USB drives is highly desirable. The working group will develop the 
necessary protocols and data formats required to support provisioning and 
management of symmetric key authentication tokens, both proprietary and 
standards based.</p>
<p>Deliverables:</p>
<ul>
<li>Requirements and use 
cases</li>
  <li>Protocol specification</li>
  <li>Key Container 
  specification</li>
</ul>
</div>
Permalink | Reply | 0 comments |
headers
Shanmugam, Murugaraj | 13 Nov 2006 15:26
Picon

Joining the mailing list

Hi,

I would like to partcipate in the KeyProv WG. Please add me in the mailing list.

Ciao,
Raj. 

<div>

<p>Hi,
</p>

<p>I would like to partcipate in the KeyProv WG. Please add me in the mailing list.
</p>

<p>Ciao,

<br>Raj.
</p>

</div>
Permalink | Reply | 0 comments |
headers
Shanmugam, Murugaraj | 13 Nov 2006 16:09
Picon

Updated Charter text

 Hi,

Could you please send me an updated version of our charted dicussed in
the BoF? 

Thanks

Ciao,
Raj.

-----Original Message-----
From: ietf-keyprov-bounces@...
[mailto:ietf-keyprov-bounces@...] On Behalf Of
ietf-keyprov-request@...
Sent: Monday, November 13, 2006 4:03 PM
To: Shanmugam, Murugaraj
Subject: Welcome to the "Ietf-keyprov" mailing list

Welcome to the Ietf-keyprov@... mailing list!

To post to this list, send your email to:

  ietf-keyprov@...

General information about the mailing list is at:

  http://www.safehaus.org/mailman/listinfo/ietf-keyprov

If you ever want to unsubscribe or change your options (eg, switch to
or from digest mode, change your password, etc.), visit your
subscription page at:

 
http://www.safehaus.org/mailman/options/ietf-keyprov/murugaraj.shanmugam
%40siemens.com

You can also make such adjustments via email by sending a message to:

  Ietf-keyprov-request@...

with the word `help' in the subject or body (don't include the
quotes), and you will get back a message with instructions.

You must know your password to change your options (including changing
the password, itself) or to unsubscribe.  It is:

  123456

Normally, Mailman will remind you of your safehaus.org mailing list
passwords once every month, although you can disable this if you
prefer.  This reminder will also include instructions on how to
unsubscribe or change your account options.  There is also a button on
your options page that will email your current password to you.
Permalink | Reply | 0 comments |
headers
Hallam-Baker, Phillip | 13 Nov 2006 20:14
Picon
Favicon

Charter discussion - Kerberos

Further to the charter discussion I think we need to consider the role of Kerberos.
 
The feeling I took away from the meeting was:
 
1) Kerberos is not a priority for KEYPROV (unanimous)
2) Nobody will object if KEYPROV turns out to support Kerberos
3) Nobody will object much if it turns out not to be possible to support Kerberos easily
4) Many people would like us to avoid making KEYPROV unnecessarily incompatible with Kerberos
 
What I take from this is that we should remove the reference to Kerberos in the first paragraph of the proposed charter and instead add a paragraph at the end something like:
 
"While the intended field of application should be narrowly drawn the Working Group shall avoid unnecessary limitations and ensure the potential for future extensibility by considering proof of concept designs for application in other symmetric keyed protocols, in particular Kerberos and DNSSEC."
<div>
<div><span class="812240318-13112006">Further to the 
charter discussion I think we need to consider the role of 
Kerberos.</span></div>
<div>
<span class="812240318-13112006"></span>&nbsp;</div>
<div><span class="812240318-13112006">The feeling I took 
away from the meeting was:</span></div>
<div>
<span class="812240318-13112006"></span>&nbsp;</div>
<div><span class="812240318-13112006">1) Kerberos is not a 
priority for KEYPROV (unanimous)</span></div>
<div><span class="812240318-13112006">2) Nobody will 
object if KEYPROV turns out to support Kerberos</span></div>
<div><span class="812240318-13112006">3) Nobody will 
object much if it turns out not to be possible to support Kerberos 
easily</span></div>
<div><span class="812240318-13112006">4) Many people would 
like us to avoid making KEYPROV unnecessarily incompatible with 
Kerberos</span></div>
<div>
<span class="812240318-13112006"></span>&nbsp;</div>
<div><span class="812240318-13112006">What I take from 
this is that we should remove the reference to Kerberos in the first paragraph 
of the proposed charter and instead add a paragraph at the end something 
like:</span></div>
<div>
<span class="812240318-13112006"></span>&nbsp;</div>
<div><span class="812240318-13112006">"While the intended 
field of application should be narrowly drawn the Working Group shall avoid 
unnecessary limitations and ensure the potential for future extensibility by 
considering proof of concept designs for application in other symmetric keyed 
protocols, in particular Kerberos and DNSSEC."</span></div>
</div>
Permalink | Reply | 3 comments |
headers
Hallam-Baker, Phillip | 14 Nov 2006 17:14
Picon
Favicon

RE: Charter discussion - Kerberos

That is my feeling precisely.

I will object to considering a Kerberos binding if any of the following appear to be the case:

1) it appears to be a rathole  
2) it appears to be a poor technical match
3) there are insufficient people to work on and review it

The point of looking at other related applications is primarily to inform the design of the base
specification and help us understand it better.

I think that done right this is a very good design practice as it helps to eliminate the type of 'special
pleading' that sometimes leads to designs so narrowly targeted that they have to be redesigned to meet its
own needs let alon expand to other areas of application.

> -----Original Message-----
> From: Sam Hartman [mailto:hartmans-ietf@...] 
> Sent: Tuesday, November 14, 2006 10:06 AM
> To: Hallam-Baker, Phillip
> Cc: ietf-keyprov@...; Russ Housley
> Subject: Re: Charter discussion - Kerberos
> 
> I mostly agree with what you say.
> 
> I will however strongly object if there is an attempt to use 
> keyprov for Kerberos and it's not a good fit.  So, provided 
> that we're all clear that a Kerberos-specific protocol is 
> better than a bad match between Kerberos and keyprov, your 
> text seems OK to me.
> 
> 
>
Permalink | Reply | 0 comments |

Gmane