Re: [P2PSIP] Identity certificate segregation [was Re: draft-ietf-p2psip-base publication to be requested]

Fri, 01 Jul 2011 15:44:24 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Diego,

How does this work with an access control policy like USER-NODE-MATCH, which
requires both a Node-ID and a username in the SignerIdentity?  If the Node-ID
and the username are in separate certificates, wouldn't that require to extend
the SignerIdentity structure to store multiple identities?

Thanks.

On 06/09/2011 10:47 AM, Diego Suarez wrote:
> I think it would require a (slight) modification in the base document.
> Current P2PSIP certification model is based on a single PKC (including
> both usernames and nodeIDs) that uniquely identifies a user and her
> devices. On the other hand, our model is base on a split certification.
> Devices and users are independent. Each device has its own PKC including
> a nodeID and a PK. Similarly, each user has her own PKC including her
> username and a PK. This approach do not prevent a centralized entity
> (such as an offline CA) to have information related to the devices each
> user (or company, etc.) has registered, but permits, among other
> improvements, a user to be connected to the system through devices she
> has not registered herself such as a phone issued by a telco or a fixed
> phone in a laboratory shared by all the members of a research group.
> 
> 
> On Thu, 2011-06-09 at 10:05 -0700, Marc Petit-Huguenin wrote:
> Does this model really required modifications in the base document, or can it 
> be
> designed as an extension?  (Unfortunately the paper is not freely available, 
> so
> it is difficult to know really what is needed for this).
> 
> On 06/09/2011 07:31 AM, Diego Suarez wrote:
>>>> Hi, 
>>>>
>>>> I had in mind writing a draft about this, but since I'm running out of
>>>> time, I would like to summarize a new certification model for P2PSIP I
>>>> have been working on, in case it is of interest for the group.
>>>> Further details can be found in paper:
>>>>
>>>> D. Touceda, J. Camara, L. Villalba, and J. Marquez, Advantages of
>>>> identity certificate segregation in P2PSIP systems, Communications,
>>>> IET, vol. 5, pp. 879889, Apr. 2011.
>>>>
>>>>
>>>> The idea is to split the certification of users and devices. Devices are
>>>> identified by PKCs including a nodeID and the PK of the device, while
>>>> users are identified by PKCs including a username and the PK of the
>>>> user. Similar models have been used before in other communications
>>>> systems, such as GSM where devices and users are separately represented
>>>> by the international mobile equipment identity (IMEI) stored in the
>>>> phones and the international mobile subscriber identity (IMSI) stored in
>>>> the user subscriber identity module (SIM), respectively.
>>>>
>>>> Motivations of this model are:
>>>>
>>>> - Users and devices are different entities performing different
>>>> roles within a P2PSIP system. Devices are nodes of the P2P
>>>> overlay network (represented by a nodeID) that offer services
>>>> (to route messages, to store data, . . .) to the system, while
>>>> users (represented by an username) utilize these services,
>>>> usually to establish media communications using SIP.
>>>>
>>>> - Support for mobility scenarios where a user may be logged at different
>>>> devices at the same time using the same PKC.
>>>>
>>>> - Support several users to be logged in the same device (like a fixed
>>>> phone) at the same time.
>>>>
>>>> - Support for user independent hard-coded devices.
>>>>
>>>> - Interoperability with SIP. SIP certificates are not valid in actual
>>>> P2PSIP since they don't include a nodeID.
>>>>
>>>> cheers
>>>>
>>>> Diego Suárez
>>>>
>>>>
>>>> On Wed, 2011-06-08 at 09:48 -0700, David A. Bryan wrote:
>>>>> Unless something major comes up, we plan to request the newest version
>>>>> of the base draft, draft-ietf-p2psip-base-15, be published. I'll put
>>>>> in the request in a week (June 16th or 17th). If there are any further
>>>>> comments from the last call a while ago (or further comments on the
>>>>> comments since then), please send them to the list ASAP.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> David (as chair)
>>>>> _______________________________________________
>>>>> P2PSIP mailing list
>>>>> [email protected]
>>>>> https://www.ietf.org/mailman/listinfo/p2psip
>>>>
>>>>
>>>> _______________________________________________
>>>> P2PSIP mailing list
>>>> [email protected]
>>>> https://www.ietf.org/mailman/listinfo/p2psip
> 
> 

- -- 
Marc Petit-Huguenin
Personal email: [email protected]
Professional email: [email protected]
Blog: http://blog.marc.petit-huguenin.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4OTbsACgkQ9RoMZyVa61fT2wCgqvIOHjARLO47zfHLRTYFrgt7
XYYAn1tF6/fhwO0bfttpuy4ELx3c0kjC
=NS7V
-----END PGP SIGNATURE-----
_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip

Reply via email to