Re: few queries in understanding the SACRED framework
Dale Gustafson <dale.gustafson <at> bpsi.net>
2001-06-11 15:18:44 GMT
Future Foundation, Inc.
Vikram Sareen wrote:
> hi all , i have just started reading the drafts wrt SACRED .following are the
> queries which i could not understand-
> query 1 -
> protocol 1
> client ------------------> credential server.
> | |
> | | protocol 2
> | v
> +-----------------------> credential store
> protocol 3
> Client after authentication to credential
> server using protocol 1 .Client MAY / MAY NOT communicate(via credential
> with credential store for their credential access using protocol 3.I think ,
> always the communication should be through the credential server , the details
> of the storage should be opaque to the client . Why so ?ie there should not
> protocol 3 used .Only protocol 1 and protocol 2 should be used.
SACRED is protocol 1, above. The ASCII-art diagram is shown to explain the
larger context in which protocol 1 is operating. Also to note that 2 and 3 are
out of scope for the framework document but related to 1.
Several list members have, at one time or another, expressed interest in /
would like to ensure that clients can update (upload) secured credentials
directly to a credential store. Others have indicated there may be a need to
download credentials directly from the credential store. The inclusion of
protocol 3 in the diagram is merely to acknowledge that direct client exchanges
with a credential store are also possible.
A clarification note has been added to the next revision of the framework
document. Due out soon.
> 2. Can i have one or more credential ( like public key or mysecret message )
> inside two or more credential files associated tothe same user . or separate
> copy of it will be maintained inthe credential files.
Supported Credential formats such as PKCS-15 and PKCS-12 can be used to create
simple or complex secured credentials containing one or more public/private key
pairs, x.509 ID certificates, attribute certificates, secret values, application
data, etc. A typical credential used with a web browser today might contain a
key pair and the corresponding public key certificate. Security objects that go
together would be carried within a single credential. It is expected that each
user will have at least one server account which is accessed using a specific
"strong password" protocol such as PDM, SPEKE, or SRP3. Each account may have
one or more different credentials associated with it.
> thanks , vikram< vikram <at> elock.co.in >