[Nsi-wg] Issue 28 in ogf-nsi-project: Security
ogf-nsi-project at googlecode.com
ogf-nsi-project at googlecode.com
Fri Oct 7 07:42:36 CDT 2011
Comment #7 on issue 28 by thost... at gmail.com: Security
http://code.google.com/p/ogf-nsi-project/issues/detail?id=28
Hadn't seen that document before.
In my opinion it misses one of the key points with NSI, i.e., that NSAs
trust each other, and that a global user list isn't needed. When putting in
signed requests into the message, an NSI infrastructure is essentially
turned into a relay network. If a network provider does not trust other
NSAs to make create connections, and requires proof of user identity, they
should probably have users contact them directly and use something else
than NSI.
You can still propage end user identity (credentials are secrets, e.g.,
password or private keys, and are not intented for distribution), but the
attributes can only be informative, not be used for authentication or
authorization (not unlike the requesterNSA / providerNSA fields, and any
other fields in the message).
More information about the nsi-wg
mailing list