RE: [802.21] [Access Control] Activity Kick-off
Hi Ele,
I cannot think 21 being deployed without this functionality. If 802.21
does not incorporate it in the spec, it may have to done in some
proprietary way. The followign are my thoughts.
1. It would be good to have a subscription id separately (from MIHF-ID,
once we know what it is exactly).
2. How to authenticate the user/id? It would be natural to think of
some bootstrapping mechanism at MIH level. We can also generate some
session and associated policies and parameters if needed (for that
user).
3. We also need message authentication. Some sort of keys for MIC usage
derived from the auth exchange would be a good way forward.
4. IMO, policy distribution is perhaps not in the scope of 802.21.
5. Mechansims for information queries tied to user id (which may filter
the information parameters)
6. Define restrictions with unsecure queries (that don't use
authenticated means)
Regards,
Srini
-----Original Message-----
From: ext Hepworth, Eleanor [mailto:eleanor.hepworth@ROKE.CO.UK]
Sent: Thursday, February 15, 2007 9:39 AM
To: STDS-802-21@LISTSERV.IEEE.ORG
Subject: [802.21] [Access Control] Activity Kick-off
Hi all,
As you may recall, there was a presentation in London about providing
access control to IEs held by the Information Server. This was intended
to start addressing some concerns raised by operators about what
information is shared with whom.
After a chat with Vivek, we thought it might be easier to continue these
discussions on the 802.21 mailing list (hopefully interested Ambient
people will have signed up by now), so here is an e-mail to kick this
activity off.
The main implication of introducing support for Access Control seems to
be the following:
1) we need to include something in the query message that identifies the
user.
2) we need someway to verify the user identity
3) we need someway to distribute policies associated with that user to
the Information Server so it can decide what information it should send.
Options for 1):
- introduce a new user identity IE that is included in the request
messages
- make use of the current MIHF ID (although some reservations about this
option were expressed in London)
Options for 2):
This is quite a complicated issue, especially when you consider roaming
scenarios with multiple domains (as Raffaele discussed during his
presentation - 21-07-0035).
Possibly the simplest approach would be to reuse some, or all, of the
existing AAA infrastructure somehow, and limit the information the user
can access before authentication to a set of non-sensitive IEs..?
Otherwise we will end up trying to define our own authentication
procedures.
Options for 3):
Lots. But I'm not sure this is something that falls within the scope of
802.21?
Comments/opinions appreciated.
Thanks
Ele