news@linus.UUCP (USENET NEWS) (02/27/90)
At the last ISO/IEC JTC 1/SC 21 meetings in November, a New Work Item (NWI)was proposed on an "Authentication Exchange ASE". The US (ANSI) must vote on the ballot for this NWI. At its January meeting, ANSI X3T5.5 prepared a DRAFT response which is reproduce below. X3T5.5 meets again next week and will make its ballot recommendation then. If you have comments on this matter, please e-mail responses to me. From: gomberg@gateway.mitre.org (Dave Gomberg) Path: gateway.mitre.org!gomberg To make the draft response a little more comprehensible, the following is a PARTIAL quote from the NWI: The Authentication ASE will provide ... support [for] n-way peer authentication ... [and] may also carry other security related information such as keying material ... The authentication exchange may also be associated with any nominated security exchange mechanisms. The specification of particular mechanisms is not within the scope of this work. General methods for specifying the aspects of such mechanisms relevant to this ASE (e.g., data types of transferred parameters) are within the scope... Since Kerberos is one of the suggested candidates, comments from the Project Athena folks or Kerberos users are welcomed with respect to whether they believe its inclusion is appropriate (either now or at some other time). Thanks, Dave Gomberg ___________________________________________________________________________ The Security Ad Hoc group [of X3T5.5] proposes that the US vote "No" on this NWI, with the provision that it will change its vote to "Yes" subject to the condition that specific protocols be included in the scope of work for one or more authentication schemes, each of which would become one part of a multi-part standard. Candidate schemes include: 1. The authentication exchange mechanism specified in ISO 9594-8 for Directory Authentication. 2. The Kerberos authentication mechanism distributed by MIT Project Athena. 3. A key distribution mechanism based on, and supporting, procedures in ANSI X9.17, coupled with an appropriate authentication exchange. It is felt that an ASE for authentication is conceptually necessary, but the NWI as written provides only incremental "added value" toward that goal. Some of the funtionality mentioned in the scope of work as justification for this NWI, in fact, already exists in the OSI Upper Layers. In particular, there are already wasys for an "Authentication ASE" to exchange authentication information at times other than association establishment via direct use of the Presentation Service. What is missing are standards specifying abstract syntax definitions for actual strong authentication mechanisms. Without examples of such definintions, it is difficult to pin down whether or not any commonality can be factored out into a generalized "Authentication ASE". It is proposed that the scope of work be broadened to include specific mechanisms. At least one such mechanism can be readily extracted from the Directory work so as to be made generally available for use by other OSI applications. In addition, other candidate mechanisms have been noted above. Comment is solicited on the above US ballot response, and on the following questions: 1. Should the scope of work be broadened to "Security ASE" to include other security mechanisms for other services such as access control? 2. What authentication mechanisms are suitable for inclusion? 3. Should SC 27 [new SC on Security Techniques] play any role in producing such standards?