Re: [802.21] Security SG: Scope issues (MIH-level Security)
On Fri, Dec 21, 2007 at 10:41:07AM -0500, Ron Pon wrote:
> I agree that the study group should include within the scope of the PAR, the requirements on where transport security must be applied and recommend at least one set of transport security protocols and their settings (authentication, encryption, etc.). Including this would address system level security and interoperability.
>
I agree that we need more work to regard transport-level security
equivalent to MIH-level security. Specifically:
- The transport entity identifier used for transport entity
authentication must be the same as the MIH entity identifier.
(Otherwise, MIH endpoints can be different from transport endpoints,
and hence there is no MIH authentication even if there is transport
entity authentication.)
- MIH protocol state would need to be tightly coupled with transport
security state to ensure that MIH protocol message will not be carried
over unprotected transport. For example, if an IPsec SA providing
protection to the transport protocol is deleted, then the MIH entity
should not use the transport for MIH message delivery.
> However, if the question is when security should be applied at the application (MIH) level rather than at the transport level, I struggle to identify any case. Transport level security is probably sufficient to protect MIH messaging, even authentication.
I share your concern. Do we really need to define MIH-level security
rather than defining an appropriate hook to the transport-level
security to provide the functionality equivalent to MIH-MIH
authentication and MIH message protection?
Yoshihiro Ohba
>
> Maybe, optional additional integrity can be placed on some information elements by signing. E.g. The MIH agent could sign information it collects such as location and battery level.
>
> Regards,
> Ron
>
> > -----Original Message-----
> > From: Clint Chaplin [mailto:clint.chaplin@GMAIL.COM]
> > Sent: Tuesday, December 18, 2007 6:17 PM
> > To: STDS-802-21@LISTSERV.IEEE.ORG
> > Subject: Re: [802.21] Security SG: Scope issues (MIH-level Security)
> >
> > MIH-MIH authentication.
> >
> > On 12/18/07, Yoshihiro Ohba <yohba@tari.toshiba.com> wrote:
> > > We had good discussion on scope issues on SSOH (Security Signaling
> > > Optimization during Handover) problem.
> > >
> > > Let me start another thread to discuss scope issues on another
> > > security-related problem, i.e., MIH-level security mechanisms (MIHS).
> > >
> > > Since MIHS has not been discussed much, we need more discussion so
> > > that we can formulate MIHS part of PAR before January meeting.
> > >
> > > Please state your opinion on the following issue by December 21 (Fri),
> > > 2007.
> > >
> > > Issue: What are the use cases that require MIH-level security instead
> > > of transport-level security?
> > >
> > > Best Regards,
> > > Yoshihiro Ohba
> > >
> >
> >
> > --
> > Clint (JOATMON) Chaplin
> > Principal Engineer
> > Corporate Standardization (US)
> > SISA
>