Identity in ad-hoc, standalone and disconnected networks

From InternetIdentityWorkshop

Contents

[edit]

Background

A topic I'd like to see discussed sometime at IIW is the applicability of identity protocols, specifically those emerging or "user-centric", in ad-hoc or disconnected networks.

There are numerous IP-based networks which are not 24x7 connected to the big-I Internet. Some of these are tied to a specific geographic area, but not all of them are under a single administrative control, and they still need digital person/machine identity services for authentication, access control etc. For example,

  • communal printer in a multi-tenant building
  • LAN party
  • disaster recovery/emergency services networks

The major desktop/laptop OSes include both legacy workgroup and IP-based capabilities for cooperating with the other nodes in address assignment, machine naming and service discovery in ad-hoc wired or wireless networks. (e.g., SMB, ZeroConf, WS-Discovery). However, these capabilities do not necessarily meet the requirements of emerging identity protocols such as OpenID or CardSpace. (e.g., no long-term continuity of IP addresses; ZeroConf's .local domain names are unstable.) Some of the questions in this topic include:

  • What's an application developer to do who wants to leverage the IdP/RP "metasystem" model and its benefits, but can't assume there's always Internet available when their application is running?
  • What can be leveraged from the experience of F2F or multiplayer console games to enable disconnected-mode use of identity services?
  • Should service model and their protocols such as OpenID be extended to support these deployment environments, or should a different protocol suite be used as the requirements are too different?
[edit]

Slides

  • Identity in ad-hoc and disconnected networks
    • Alice, Bob and the Backhoe
  • What used to "work"
    • "Workgroup" identity - one account for each server, or domain controllers for each LAN
    • non-IP networks, NetBIOS, AppleTalk, VINES
  • Why we might be there again
    • Home networks
    • P2P and mesh networks
    • disaster recovery
  • Ad-hoc networks - now with IP
    • ZEROCONF - link local network config
      • IP addressed chosen cooperatively - no DHCP
      • multicast DNS - no dedicated DNS server
      • WS-Discovery - find web services (Vista's 'people near me')
    • Can cause problems with client-server identity protocols
      • no time synchronization - Kerberos unhappy
      • IP address change - servers move without warning
      • domain names change - OpenIDs change without warning
      • no trusted online authorities - cant get EV certs for cardspace
[edit]

Discussion

  • What breaks in emerging/existing protocols when on an ad-hoc network
  • Who is addressing this problem
    • Multiplayer games?
    • Mobile devices
  • Dealing with temporary disconnections
    • caching or delegating IdP functions for use when offline
    • Can identities established while offline be connected to an online identity
      • e.g. a merchant allows a customer to fill in a shopping cart (cookie), and then later once the cart is full asks the customer to log in (connect cookie to account)
  • how does cross-certification, web of trust, and PGP fit
  • WS-*/SOAP/sneakernet: out of band key establishment
[edit]

Blogs/Pictures

Retrieved from "http://iiw.windley.com/wiki/Identity_in_ad-hoc%2C_standalone_and_disconnected_networks"