Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [802.21] Security related study group in 802.21

To: komarova <komarova@ENST.FR>
Subject: Re: [802.21] Security related study group in 802.21
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Date: Mon, 2 Jul 2007 17:13:10 -0400
Cc: STDS-802-21@listserv.ieee.org
In-Reply-To: <468934A1.6000205@enst.fr>
List-Help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-802-21>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO STDS-802-21>
List-Owner: <mailto:STDS-802-21-request@LISTSERV.IEEE.ORG>
List-Subscribe: <mailto:STDS-802-21-subscribe-request@LISTSERV.IEEE.ORG>
List-Unsubscribe: <mailto:STDS-802-21-unsubscribe-request@LISTSERV.IEEE.ORG>
References: <2198383E1141814486F0B881B3260CF530132B@daebe103.NOE.Nokia.com> <46890A7A.8010406@enst.fr> <20070702160408.GD7059@steelhead.localdomain> <468934A1.6000205@enst.fr>
Sender: stds-802-21@ieee.org
User-Agent: Mutt/1.5.13 (2006-08-11)

Hi Maryna,

On Mon, Jul 02, 2007 at 07:23:45PM +0200, komarova wrote:
> Hi, Yoshihiro,
> thank you for so quick reaction and comments.
> 
> 
> >Your slide #10 discusses network identity.  I have two questions here.
> >What is the difference between network name and network identity? 
> >
> Network name is the name of an access network like ESSID in 802.11 and
> identity may represent the owner of this access network (operator name).

OK.

> The problem is that one operator can manage some access networks with
> different names (or even with different name presentation, e.g. 802.11
> and UMTS). A user’s home network or a security broker has roaming
> agreements/trust relations with the operator and provides a user with
> correspondent credentials. It is redundant to create authentication
> material for each access network belongs to the same operator (???). A
> MN should know what credentials are destined to what network. In this
> case the MN may need to map the name of the target network it sees (or
> returned by the IS) to the name of the target operator.

If we create a key hierarchy in the visited operator's domain (like
DSRK-based HOKEY re-authentication), the identity of the domain (which
is mostly equivalent to operator's name) needs to be bound to the key
hierarchy.  In addition, the key to be used for a particular target
PoA needs to be bound to the PoA's attributes, and the name of the
target network could be one such attribute.  This way, MN can map the
name of the target network it sees to the name of the target operator,
I think.

> 
> Does an Information Service do such a job on information query from a user?

TYPE_IE_OPERATOR_IDENTIFIER and TYPE_IE_NETWORK_IDENTIFIER provided by
802.21 IS would correspond to the name of the target operator and the
name of the target network, respectively.  On the other hand, 802.21
IS itself does not bind those parameters to keys.

> 
> >(a
> >more general question is; what is the definition of network identity?)
> >  

> >
> I have not found a “standard” definition, but commonly the network
> identity is its name, isn’t it?

From key management perspective, domain name or domain identifier may
be more appropriate term than network identity (and domain defines the
scope of key hierarchy), IMO.

Regards,
Yoshihiro Ohba

References:
- Security related study group in 802.21
  - From: Michael.G.Williams
- Re: [802.21] Security related study group in 802.21
  - From: komarova
- Re: [802.21] Security related study group in 802.21
  - From: Yoshihiro Ohba
- Re: [802.21] Security related study group in 802.21
  - From: komarova

Prev by Date: Teleconference July 03
Next by Date: Re: [802.21] Security related study group in 802.21
Previous by thread: Re: [802.21] Security related study group in 802.21
Next by thread: Lettbet Ballot Recirculation #1e Announcement
Index(es):
- Date
- Thread