General:
- It is not clear why we need to address the
PA security now when not all the pieces are well understood yet. Especially
without a “full picture” view of the PA and its state flow, it will be hard to
determine the best security model to be provided. I would suggest that we focus first in
stabilizing the PA and PB constructs before we finalize or contemplate the
security aspects for the PA.
- It is hard to “connect” how the PA and PB will
work together given the lack of specificity or examples with particular
transport protocols. It would be
good if at least an example packet flow, from initial discovery or
publication/subscription to the PA attributes to their completion (inclusive
of both successful and unsuccessful) transaction are provided.
- The CMS model adapted for NEA and provided in
draft-sangster-nea-pa-tnc-security-00.txt doesn’t seem to fit both the dynamic
nor the group nature of the PA.
The draft-sangster-nea-pa-tnc-00.txt draft implies a dynamic group relationship given
the publish/subscribe model; this imposes problem for encryption as the
message recipient must be known.
Do you send multiple messages?
Do you send to an intermediary (PB perhaps)? Is there some other key
establishment method (key server, multiparty DH,...)
For replay detection, it appears that the initial
message is not protected (this may not be a problem). If there are multiple parties involved
in the exchange it is not clear how the nonce is generated and
validated.
Further, the addition of a capabilities discovery
is eluded to in the draft, but the details are unclear or inconsistent. Section 2.4 mentions “The algorithm list
is encapsulated within a signed CMS message that the recipient can use to verify
the authenticity and integrity of the algorithm”, but given the group nature of
the PA and a discovery of capabilities, its unclear how a signature can be
imposed in the message for proper validation if the appropriate trust anchors
has not been established. Can other
algorithms be explored beyond RSA for signing and ECDSA for validation (these
are very computationally expensive).
A state or process flow diagram should be provided, or at minimum a
description
- Given the dynamic group aspect of the PA, it is
unclear how key management and key lifetimes are asserted and
enforced?
- draft-sangster-nea-pa-tnc-security-00.txt
enforces the use of certificates which may be prohibitive in some
deployments. There are network
deployments today that are not PKI “ready”, nor do they have the means and
perhaps desire to enforce PKI.
The security model should allow for such “legacy” deployments and
scenarios to work as well.
- The security mechanisms should employ NIST
approved cryptographic algorithms, SHA-1 will be deprecated by 2010 and should
be avoided if possible.
Nancy.
