[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TAA definition

To: Paul Hoffman <paul.hoffman@xxxxxxxx>
Subject: Re: TAA definition
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 4 Sep 2007 03:17:27 -0400
Cc: <ietf-trust-anchor@xxxxxxxx>
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-trust-anchor/mail-archive/>
List-id: <ietf-trust-anchor.vpnc.org>
List-unsubscribe: <mailto:ietf-trust-anchor-request@vpnc.org?body=unsubscribe>
References: <> <> <> <> <> <>
Sender: owner-ietf-trust-anchor@xxxxxxxxxxxxx

...
I don't tend to think of a TAA providing TAs that may or may not beinstalled, at the whim of a client, unless the client is a TAA withgreater privilege.
This is the enterprise model where a single TAA essentially controlsthe TA store. The individual model is where the individual choosesmore than one TAA and may select which of the TAAs' advice to take.More recently on this list, a hybrid model has appeared, which saysthat once an individual accepts a TAA, they will take whatever theTAA tells them, even if it conflicts with what another selected TAAhas told them in the past.

The enterprise model probably would be an OK start for some DoDenvironments with which I am familiar, although it is not rich enoughfor all the cases I know about. The "hybrid" model seems incomplete,as briefly characterized. If TAAs exist as parallel, independent,entities, there could be considerable confusion if different TAAsinstall different TAs that overlap in their scope.

This gets back to the issue I cited earlier, and reiterated severaltimes. Each TAA has to have an ability to associate some scope withit. This scope may have to be imposed on TAs installed "under" eachTAA. That way one can use static analysis of TAAs to determinewhether there are overlaps that might cause problems. The same istrue for TAs, if one has a "flatter" TA management arrangement.

For example, imagine a security device that implements IPsec but alsoincorporates application layer proxies as well. The device vendor isthe only authorized source for the IPsec software. One or more othervendors are authorized sources for the application layer proxies. Theset of application proxy vendors is managed by the device vendor,because he has "qualified" them as OK providers re the device. Theenterprise security administrator is the only authorized source forIPsec PAD/SPD management, which is represented as a signed file.

To enforce these different authorizations I want to be able toassociate different TAs with different sources. For example the onlyauthorized source of IPsec software (and basic device software) isthe device vendor. For the application proxies, I might need a TA pervendor, and maybe a TAA that allows me to manage the installation ofthose TAs. I would need one TA for the PAD/SPD, and a TAA formanaging TAs for IKE.

For the software sources (IPsec and application proxies) I could makeuse of the firmware wrapper format (RFC 4108) for signed software. Imight use the same format for the SPD files (even though they are notsoftware per se). In that format, the preferred firmware package nameis an OID, and a version number.

The fact that 4108 labels packages (files) by OID presents anopportunity for using these OIDs for authorization. One might easilystructure the OIDs used here to distinguish the IPsec software fromthe proxy software packages (and from the PAD/SPD file). Thedifferent proxy software packages also should be labelled by vendor,to prevent one vendor from supplying a package for another.

To enforce this simple policy there is a need to make sure that whenone validates a signature on a package using a TA, that the TA is theright one. It is not enough that the TA is referenced by thepackage; the TA must be authorized to verify signatures on packagesof a specific type. This can be enforced by associating with each TAan OID that is the prefix of the labels associated with the packagessigned by the relevant vendor, or by the local admin. The OID confersauthorization to verify firmware package signatures that have thatOID as a prefix for the package name. This way if a vendor (or a sysadmin) mislabels a package, the TA used to verify the package willreject it.

One would like to be able to employ the same sort of authorization upone level, i.e., for TAAs. For example, if we install a TAA formanaging TAs for KE, we don't want that TAA installing TAs that canbe used to verify package signatures.


This example is just offered to motivate the following observations:

- one needs to be able to bind data to each TA to constrainthe set of signed objects that the TA is authorized to verify.

- one also needs to be able to express the same sort ofauthorization data to TAAs, so that each TAA can "flow down" theseconstraints

- for TAAs, there also will need to be a way to expressadditional authorization data (if we support a hierarchy of TAAs)where this data relates to management of TAAs by other TAAs

If we want to develop a standard that is applicable in a wide rangeof contexts, then I think we need to define the required capabilitiesfor expressing and binding authorization data to TAs and TAAs. Ithink the observations above suggest that one needs to know a fairamount about what types of authorization data can be expressed viathe TAA/TA data structure, in order to be able to determine if acandidate TAA/TA mechanism is sufficiently expressive for a candidatetype of environment.


Steve

Follow-Ups:
- Re: TAA definition
  - From: Henry B. Hotz
- RE: Multiple TAAs
  - From: Black_David

References:
- Revised draft charter
  - From: Turner, Sean P.
- Re: Revised draft charter
  - From: Stephen Kent
- RE: Revised draft charter
  - From: Turner, Sean P.
- TAA definition
  - From: Paul Hoffman
- Re: TAA definition
  - From: Stephen Kent
- Re: TAA definition
  - From: Paul Hoffman

Prev by Date: Re: TAA definition
Next by Date: Re: Multiple TAAs
Previous by thread: Re: TAA definition
Next by thread: RE: Multiple TAAs
Index(es):
- Date
- Thread