I haven't read the draft, but note that the Moonshot implementation provides fast reauth based on Kerberos tickets.
Sent from my iPhone On 12/03/2012, at 11:16 PM, Rafa Marin Lopez <[email protected]> wrote: > Hi Yinxing: > > I have seen that you have also mentioned and described the problem of fast > re-authentication in your I-D. We have been just discussing as you may have > noticed. > > Although I am still in favor to define a general problem statement for this > in ABFAB before going to solution space, I must say that here in UMU we have > been thinking about a possible solution for providing this fast > re-authentication procedure, which may have some similarities with yours. > > Basically, since GSS-EAP is used in ABFAB to provide authentication, our idea > is to use ERP (RFC 5296) (and the associated infrastructure) to provide fast > re-authentication in ABFAB. After all, ERP is the standard to reduce the > authentication time in EAP-based authentications. > > In this way, we could extend GSS-EAP or create a GSS-ERP mechanism to > transport ERP messages within GSS tokens. Something like: > > > 1. Initiator --> Acceptor: GSS-EAP (EAP Initiate/Re-auth(SEQ, keyName-NAI, > cryptosuite,Auth-tag*)) > 1a. Acceptor --> ER-Server: AAA-Request{Authenticator-Id, > EAP Initiate/Re-auth(SEQ,keyName-NAI, > cryptosuite,Auth-tag*) > > 2. ER-Server --> Acceptor: AAA-Response{rMSK, > EAP-Finish/Re-auth(SEQ,keyName-NAI, > cryptosuite,[CB-Info],Auth-tag*) > > 2b. Acceptor --> Initiator: GSS-EAP (EAP-Finish/Re-auth(SEQ,keyName-NAI, > cryptosuite,[CB-Info],Auth-tag*)) > > > Even the ER-Server could be placed near the server (local ER server) reducing > the travel time of the messages. > > Obviously this is just an idea, which needs to be elaborated and discussed. > In fact, as I said, I think it would be better to start defining a problem > statement, requirements etc... for fast re-authentication in ABFAB. UMU would > be willing to work on that. > > Best regards. > > El 12/03/2012, a las 10:18, [email protected] escribió: > >> >> Hi, all >> >> An updated version of Federated Cross-Layer Access >> (draft-wei-abfab-fcla-02) is posted. >> The major changes is in claust 4 : >> - 4. message flow >> - 4.1 fast re-authentication >> - 4.2 secure data sharing >> >> here is the draft: >> http://www.ietf.org/id/draft-wei-abfab-fcla-02.txt >> >> Any comments are appreciated! >> >> ------------- >> Yinxing Wei >> >> -------------------------------------------------------- >> ZTE Information Security Notice: The information contained in this mail is >> solely property of the sender's organization. This mail communication is >> confidential. Recipients named above are obligated to maintain secrecy and >> are not permitted to disclose the contents of this communication to others. >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are addressed. >> If you have received this email in error please notify the originator of the >> message. Any views expressed in this message are those of the individual >> sender. >> This message has been scanned for viruses and Spam by ZTE Anti-Spam system. >> _______________________________________________ >> abfab mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/abfab > > ------------------------------------------------------- > Rafael Marin Lopez, PhD > Dept. Information and Communications Engineering (DIIC) > Faculty of Computer Science-University of Murcia > 30100 Murcia - Spain > Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] > ------------------------------------------------------- > > > > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
