On 9/16/2016 6:03 AM, Eliot Lear wrote:

Hi Mike,

On 9/15/16 5:36 PM, Michael StJohns wrote:
Hi Elliot et al -

Sorry, I think you're still missing the point:

  * Source Authentication (A) cannot be accomplished securely by
    Symmetric Key Multicast  (^B):   (A -> ^B)
  * Cyber Physical control functions (C)  require source
    authentication  (A):  (C -> A)
  * Turning on and off lights (D) is a Cyber Physical Control
    Function (C):  (D -> C)
  * Therefore Turning on and off lights (D) requires source
    authentication (B):  (D -> C -> A) (D -> A)
  * Therefore Turning on and off lights (D) cannot be accomplished
    securely by Symmetric Key Multicast (^B):  (D -> C) ( C -> A) (D
    -> C -> A) ( D->A) (A -> ^B) (D -> ^B).

Apologies if I got the formal logic wrong - its been a while.

All of this seems about right to me, but with two big caveats:

 1. We are, I think, talking about group-based communications and not
    necessarily group-based authorization for device control.  There
    is a difference, albeit subtle.  One could reasonably envision
    borrowing from lower layers to satisfy device authorization

Sorry - we've really been talking about using symmetric key multicast for control functions. (cf all the discussions on lighting control and the ever reducing maximum latency requirement). Authorization is really about whether or not a given entity accepts and acts on a given authenticated message. Trying to parse this as group comms (which I took you to mean "secure group comms") vs group authorization is really a red herring here as you can't have meaningful authorization without meaningful authentication and so far, we haven't gotten that far.

 1. The question here is whether this is the right level to address
    the problem.  And I'll ask my clarifying question again: is there
    a more logical place to anchor identity, like above or below this

This is mostly an irrelevant question at this point. Once we agree that symmetric key multiparty (N>2 or 3 in the case of a kerberos system) authentication is off the table, then talking about which level to put this reduces down to either per application or per device and the associated protocols for each of those. It's entirely possible a message might be authenticated by credentials at multiple protocol layers depending on who owns what in the mesh.

Later, Mike


Ace mailing list

Reply via email to