[voms-proc-wg] [Nsi-wg] OGF NSI networking architecture and need for certificates with restricted user base

John MacAuley macauley at es.net
Thu Jul 31 12:21:59 EDT 2014 

Yes, I was indeed mixing authentication and basic authorization.  I have solved the issue by adding certification DN authorization in Apache after the TLS session is established.  It is just too bad TLS gets established in the first place with these wide ranging CAs.  Seems a bit senseless in the grand scheme of security.

Java based implementations can override the default SSL Engine to give customized handling of the certificates, which solves my problem during the negotiation phase.  Unfortunately, not everyone can do this.

"Self-signed certificates will not scale." - It really depends on the deployment requirements of the application.  We are discussing control plane peering of service agents, of which an organization will typically have a handful to tens for the foreseeable future.  I would not use self-signed for use cases where I am dealing with 100 - 1,000s of clients.  In that case it definitely does not scale.  However, having to provision 1,000s of access control lists to restrict access does not scale as well.  If this was the case an entirely different solution would be required that does not depend on SSL/TLS for anything other than encryption.

As they say, six of one, half a dozen of the other.

Thank you for the feedback.

John

On 2014-07-31, at 10:58 AM, Mischa Salle <msalle at nikhef.nl> wrote:

> Hi Alan,
> 
> I think he's mixing authentication and authorization. If I look at 
> page 10, my reaction is, there is nothing wrong in trusting that client
> cert #2 is client cert #2, that's only the authentication part. That
> doesn't mean you also *allow* client cert #2. Same on page 11, trusting
> a certificate there should mean trusting that the identity is what it
> claims to be. Doesn't mean allowing it to enter.
> If this is indeed his whole use-case, I would say, go for (a subset of)
> public CAs and restrict access based on specific DNs. That gives you
> still all the revocation and renewal possibilities while at the same
> time allowing for restricted access.
> A private CA could work, but is a lot of work, and not trivial to keep
> safe... Self-signed certificates will not scale. They give no way of
> revocation, big problems with expiry etc.
> If they need more advanced authZ, such as based on certain roles, than
> indeed VOMS attribute certificates might be useful, although that would
> mean software adaptations.
> 
>    Best wishes,
>    Mischa Sallé
> 
> On Wed, Jul 30, 2014 at 03:34:08PM +0000, Sill, Alan wrote:
>> Dear folks in the OGF CAOPS, VOMS-PROC and NSI working groups.
>> 
>> I'd like to initiate some discussion among the participants in these
>> working groups for the use case referred to in the talk at the link
>> below.
>> 
>> Some review of the conditions for this use case would be helpful. Note
>> this is also a use case that comes up in Internet-of-Things
>> discussions, and has caused some discussion on the PKIX group list
>> (though that group is now dormant of course) and other related lists
>> lately.
>> 
>> To me this is a familiar situation with well-known parameters, but
>> possibly some additional considerations, and might possibly lead to
>> some useful communication among the members in these groups about
>> solutions that could be applied using existing technologies that would
>> avoid the possible downsides associated with the proposed use of
>> self-signed certificates. (For example, extended attribute
>> certificates as used in VOMS, though the same or perhaps through a
>> different implementation, might be a good solution here; other
>> solutions might be contemplated that would be more attractive than
>> self-signed certificates for this situation.)
>> 
>> Your comments, discussion and input are recruited (by me -- I'm not
>> speaking for the NIS-WG members per se!), and I hope that all parties
>> will regard this as useful discussion for information exchange only.
>> 
>> Thanks,
>> Alan
>> 
>> Begin forwarded message:
>> 
>> From: Guy Roberts <Guy.Roberts at dante.net<mailto:Guy.Roberts at dante.net>>
>> Subject: RE: [Nsi-wg] Wednesday's NSI conf call
>> Date: July 30, 2014 at 1:30:19 PM GMT+2
>> To: Alan Sill <kilohoku150 at gmail.com<mailto:kilohoku150 at gmail.com>>
>> 
>> Hi Alan,
>> 
>> Please find the slides on NSI security here:
>> 
>> https://redmine.ogf.org/dmsf/nsi-wg?folder_id=6592
>> 
>> The proposal is that  NSAs will run their own private Certificate Authorities (self-signing) rather than using public Certificate Authorities.  Participating NSAs will then exchange information about  each other’s Certificates in an ad hoc way.
>> 
>> This solution does not scale well as private Certificates have to be manually shared, but it reduces the size of the certificate pool.
>> 
>> Guy
>> 
>> From: Alan Sill [mailto:kilohoku150 at gmail.com]
>> Sent: 30 July 2014 10:56
>> To: Guy Roberts
>> Cc: Alan Sill
>> Subject: Re: [Nsi-wg] Wednesday's NSI conf call
>> 
>> Guy,
>> 
>> On Jul 30, 2014, at 11:02 AM, Guy Roberts <Guy.Roberts at dante.net<mailto:Guy.Roberts at dante.net>> wrote:
>> 
>> - comments/feedback from last week’s presentation from John on ‘Secure Communications with Self Signed Certificates’
>> 
>> Are copies of these slides available? I would like to understand the context.
>> 
>> (In general, use of self-signed certificates is risky at best, so I would like to understand the use case here.)
>> 
>> Alan
>> 
> 
>> _______________________________________________
>> voms-proc-wg mailing list
>> voms-proc-wg at ogf.org
>> https://www.ogf.org/mailman/listinfo/voms-proc-wg
> 
> 
> -- 
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1626 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/voms-proc-wg/attachments/20140731/d0e6ada1/attachment.bin>

More information about the voms-proc-wg mailing list