Re: [802.21] Security related study group in 802.21
Hi Maryna,
On Mon, Jul 02, 2007 at 07:23:45PM +0200, komarova wrote:
> Hi, Yoshihiro,
> thank you for so quick reaction and comments.
>
>
> >Your slide #10 discusses network identity. I have two questions here.
> >What is the difference between network name and network identity?
> >
> Network name is the name of an access network like ESSID in 802.11 and
> identity may represent the owner of this access network (operator name).
OK.
> The problem is that one operator can manage some access networks with
> different names (or even with different name presentation, e.g. 802.11
> and UMTS). A user’s home network or a security broker has roaming
> agreements/trust relations with the operator and provides a user with
> correspondent credentials. It is redundant to create authentication
> material for each access network belongs to the same operator (???). A
> MN should know what credentials are destined to what network. In this
> case the MN may need to map the name of the target network it sees (or
> returned by the IS) to the name of the target operator.
If we create a key hierarchy in the visited operator's domain (like
DSRK-based HOKEY re-authentication), the identity of the domain (which
is mostly equivalent to operator's name) needs to be bound to the key
hierarchy. In addition, the key to be used for a particular target
PoA needs to be bound to the PoA's attributes, and the name of the
target network could be one such attribute. This way, MN can map the
name of the target network it sees to the name of the target operator,
I think.
>
> Does an Information Service do such a job on information query from a user?
TYPE_IE_OPERATOR_IDENTIFIER and TYPE_IE_NETWORK_IDENTIFIER provided by
802.21 IS would correspond to the name of the target operator and the
name of the target network, respectively. On the other hand, 802.21
IS itself does not bind those parameters to keys.
>
> >(a
> >more general question is; what is the definition of network identity?)
> >
> >
> I have not found a “standard” definition, but commonly the network
> identity is its name, isn’t it?
From key management perspective, domain name or domain identifier may
be more appropriate term than network identity (and domain defines the
scope of key hierarchy), IMO.
Regards,
Yoshihiro Ohba