| Re: Issue 31: Peer Authorization is optional | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Tue, 4 Dec 2007 14:51:17 -0800 (PST) | |
All,
I had included the wrong text from version 8 of the draft below. The
broken
text follows. The issue, once more, was the reference to forgoing the
authorization check.
<old text>
Authorize to DTLS Connect (j): This transition occurs to notify the
DTLS stack that the session should be established.
WTP: This state transition occurs when the WTP has either opted
to forgo the authorization check of the AC's credentials, or
the credentials were successfully authorized. This is done by
invoking the DTLSAccept DTLS command (see Section 2.3.2.1).
AC: This state transition occurs when the AC has either opted to
forgo the authorization check of the WTP's credentials, or the
credentials were successfully authorized. This is done by
invoking the DTLSAccept DTLS command (see Section
2.3.2.1).</old text>
We are fixing this by making the authorization phase mandatory, and
providing
some guidance on the authorization process:
<text>
Authorize to DTLS Connect (g): This transition occurs to notify the
DTLS stack that the session should be established.
WTP: This state transition occurs when the WTP has successfully
authorized the AC's credentials (see Section 2.4.4). This is
done by invoking the DTLSAccept DTLS command (see
Section 2.3.2.1).
AC: This state transition occurs when the AC has successfully
authorized the WTP's credentials (see Section 2.4.4). This is
done by invoking the DTLSAccept DTLS command (see
Section 2.3.2.1).
2.4.4.3. Certificate Usage
[...]
ACs and WTPs MUST authorize (e.g. through access control lists)
certificates of devices to which they are connecting, e.g., based on
the isuer, MAC address, or organizational information specified in
the certificate. The identities specified in the certificates bind a
particular DTLS session to a specific pair of mutually-authenticated
and authorized MAC addresses. The particulars of authorization
filter construction are implementation details which are, for the
most part, not within the scope of this specification. However, at
minimum, all devices MUST verify that the appropriate EKU bit is set
according to the role of the peer device (AC vs. WTP), and that the
issuer of the certificate is appropriate for the domain in question.
</text>
PatC
-----Original Message-----
From: Pat Calhoun (pacalhou)
Sent: Monday, December 03, 2007 12:43 PM
To: capwap [at] frascone.com
Subject: [Capwap] Issue 31: Peer Authorization is optional
The draft currently makes peer authorization optional. We need to make
it mandatory, but allow for the authorization to be lightweight (e.g.,
check against an ACL that has a default permit rule).
The text is:
Authorize to DTLS Teardown (k): This transition occurs to notify the
DTLS stack that the session should be aborted.
WTP: This state transition occurs when the WTP was unable to
authorize the AC, using the AC credentials. The WTP then
aborts the DTLS session by invoking the DTLSAbortSession
command (see Section 2.3.2.1).
AC: This state transition occurs when the AC was unable to
authorize the WTP, using the WTP credentials. The AC then
aborts the DTLS session by invoking the DTLSAbortSession
command (see Section 2.3.2.1).
PatC
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/capwap
Archives: http://lists.frascone.com/pipermail/capwap
-
Issue 31: Peer Authorization is optional Pat Calhoun (pacalhou), December 3 2007
- Re: Issue 31: Peer Authorization is optional Pat Calhoun (pacalhou), December 4 2007
- Re: Issue 31: Peer Authorization is optional Pat Calhoun (pacalhou), December 21 2007
Results generated by Tiger Technologies using MHonArc.