draft-ietf-p2psip-share-09.txt   draft-ietf-p2psip-share-10.txt 
P2PSIP Working Group A. Knauf P2PSIP Working Group A. Knauf
Internet-Draft T. Schmidt, Ed. Internet-Draft T. Schmidt, Ed.
Intended status: Standards Track HAW Hamburg Intended status: Standards Track HAW Hamburg
Expires: April 13, 2017 G. Hege Expires: May 17, 2017 G. Hege
daviko GmbH daviko GmbH
M. Waehlisch M. Waehlisch
link-lab & FU Berlin link-lab & FU Berlin
October 10, 2016 November 13, 2016
A Usage for Shared Resources in RELOAD (ShaRe) A Usage for Shared Resources in RELOAD (ShaRe)
draft-ietf-p2psip-share-09 draft-ietf-p2psip-share-10
Abstract Abstract
This document defines a RELOAD Usage for managing shared write access This document defines a RELOAD Usage for managing shared write access
to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic
primitive for enabling various coordination and notification schemes primitive for enabling various coordination and notification schemes
among distributed peers. Access in ShaRe is controlled by a among distributed peers. Access in ShaRe is controlled by a
hierarchical trust delegation scheme maintained within an access hierarchical trust delegation scheme maintained within an access
list. A new USER-CHAIN-ACL access policy allows authorized peers to list. A new USER-CHAIN-ACL access policy allows authorized peers to
write a Shared Resource without owning its corresponding certificate. write a Shared Resource without owning its corresponding certificate.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 13, 2017. This Internet-Draft will expire on May 17, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 39 skipping to change at page 2, line 39
6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 12 6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 12
6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 13 6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 13
6.3. Validating Write Access through an ACL . . . . . . . . . 13 6.3. Validating Write Access through an ACL . . . . . . . . . 13
6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 14 6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 14
6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 14 6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 14
6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 15 6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 15
7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 15 7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 16 8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 16
8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 16 8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 16
8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 16 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 17
8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 17 8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 17
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 17 9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 17
9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 17 9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 17
9.3. XML Name Space Registration . . . . . . . . . . . . . . . 18 9.3. XML Name Space Registration . . . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . 18 10.1. Normative References . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . 18
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
[RFC6940] defines the base protocol for REsource LOcation And [RFC6940] defines the base protocol for REsource LOcation And
Discovery (RELOAD) that allows for application-specific extensions by Discovery (RELOAD), which allows for application-specific extensions
Usages. The present document defines such a RELOAD Usage for by Usages. The present document defines such a RELOAD Usage for
managing shared write access to RELOAD Resources and a mechanism to managing shared write access to RELOAD Resources and a mechanism to
store Resources with a variable name. The Usage for Shared Resources store Resources with variable names. The Usage for Shared Resources
in RELOAD (ShaRe) enables overlay users to share their exclusive in RELOAD (ShaRe) enables overlay users to share their exclusive
write access to specific Resource/Kind pairs with others. Shared write access to specific Resource/Kind pairs with others. Shared
Resources form a basic primitive for enabling various coordination Resources form a basic primitive for enabling various coordination
and notification schemes among distributed peers. Write permission and notification schemes among distributed peers. Write permission
is controlled by an Access Control List (ACL) Kind that maintains a is controlled by an Access Control List (ACL) Kind that maintains a
chain of Authorized Peers for a particular Shared Resource. A newly chain of Authorized Peers for a particular Shared Resource. A newly
defined USER-CHAIN-ACL access control policy enables shared write defined USER-CHAIN-ACL access control policy enables shared write
access in RELOAD. access in RELOAD.
The Usage for Shared Resources in RELOAD is designed for jointly The Usage for Shared Resources in RELOAD is designed for jointly
coordinated group applications among distributed peers (e.g., third coordinated group applications among distributed peers (e.g., third
party registration, see [I-D.ietf-p2psip-sip], or distributed party registration, see [RFC7904], or distributed conferencing). Of
conferencing). Of particular interest are rendezvous processes, particular interest are rendezvous processes, where a single
where a single identifier is linked to multiple, dynamic instances of identifier is linked to multiple, dynamic instances of a distributed
a distributed cooperative service. Shared write access is based on a cooperative service. Shared write access is based on a trust
trust delegation mechanism. It transfers the authorization to write delegation mechanism that transfers the authorization to write a
a specific Kind data by storing logical Access Control Lists. An ACL specific Kind data by storing logical Access Control Lists. An ACL
contains the ID of the Kind to be shared and contains trust contains the ID of the Kind to be shared and contains trust
delegations from one authorized to another (previously unauthorized) delegations from one authorized to another (previously unauthorized)
user. user.
Shared write access augments the RELOAD security model, which is Shared write access augments the RELOAD security model, which is
based on the restriction that peers are only allowed to write based on the restriction that peers are only allowed to write
resources at a small set of well defined locations (Resource-IDs) in resources at a small set of well defined locations (Resource-IDs) in
the overlay. Using the standard access control rules in RELOAD, the overlay. Using the standard access control rules in RELOAD,
these locations are bound to the username or Node-ID in the peer's these locations are bound to the username or Node-ID in the peer's
certificate. This document extends the base policies to enable a certificate. This document extends the base policies to enable a
skipping to change at page 4, line 48 skipping to change at page 4, line 48
users. The mechanism to share those Resource/Kind pairs with a group users. The mechanism to share those Resource/Kind pairs with a group
of users consists of two basic steps. of users consists of two basic steps.
1. Storage of the Resource/Kind pairs to be shared. 1. Storage of the Resource/Kind pairs to be shared.
2. Storage of an Access Control List (ACL) associated with those 2. Storage of an Access Control List (ACL) associated with those
Kinds. Kinds.
ACLs are created by the Resource Owner and contain ACL items, each ACLs are created by the Resource Owner and contain ACL items, each
delegating the permission of writing the shared Kind to a specific delegating the permission of writing the shared Kind to a specific
user called Authorized Peer. For each shared Kind data, its Resource user called the Authorized Peer. For each shared Kind data, its
owner stores a root item that initiates an Access Control List. Resource owner stores a root item that initiates an Access Control
Trust delegation to the Authorized Peer can include the right to List. Trust delegation to the Authorized Peer can include the right
further delegate the write permission, enabling a tree of trust to further delegate the write permission, enabling a tree of trust
delegations with the Resource Owner as trust anchor at its root. delegations with the Resource Owner as trust anchor at its root.
The Resource/Kind pair to be shared can be any RELOAD Kind that The Resource/Kind pair to be shared can be any RELOAD Kind that
complies to the following specifications: complies to the following specifications:
Isolated Data Storage: To prevent concurrent writing from race Isolated Data Storage: To prevent concurrent writing from race
conditions, each data item stored within a Shared Resource SHALL conditions, each data item stored within a Shared Resource SHALL
be exclusively maintained by the RELOAD user who created it. be exclusively maintained by the RELOAD user who created it.
Hence, Usages that allow the storage of Shared Resources are Hence, Usages that allow the storage of Shared Resources are
REQUIRED to use either the array or dictionary data model and REQUIRED to use either the array or dictionary data model and
skipping to change at page 5, line 46 skipping to change at page 5, line 46
This section defines mechanisms to avoid race conditions while This section defines mechanisms to avoid race conditions while
concurrently writing an array or dictionary of a Shared Resource. concurrently writing an array or dictionary of a Shared Resource.
If a dictionary is used in the Shared Resource, the dictionary key If a dictionary is used in the Shared Resource, the dictionary key
MUST be the Node-ID of the certificate that will be used to sign the MUST be the Node-ID of the certificate that will be used to sign the
stored data. Thus data access is bound to the unique ID holder, and stored data. Thus data access is bound to the unique ID holder, and
write concurrency does not occur. write concurrency does not occur.
If the data model of the Shared Resource is an array, each Authorized If the data model of the Shared Resource is an array, each Authorized
Peer SHALL obtain its exclusive range of the array indices. The Peer that chooses to write data SHALL obtain its exclusive range of
following algorithm will generate an array indexing scheme that the array indices. The following algorithm will generate an array
avoids collisions. indexing scheme that avoids collisions.
1. Obtain the Node-ID of the certificate that will be used to sign 1. Obtain the Node-ID of the certificate that will be used to sign
the stored data the stored data
2. Take the least significant 24 bits of that Node-ID to prefix the 2. Take the least significant 24 bits of that Node-ID to prefix the
array index array index
3. Append an 8 bit individual index value to those 24 bit of the 3. Append an 8 bit individual index value to those 24 bit of the
Node-ID Node-ID
skipping to change at page 8, line 29 skipping to change at page 8, line 29
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| 456def01 | to_user:Bob Kind:1234 ad:0 | Alice | | 456def01 | to_user:Bob Kind:1234 ad:0 | Alice |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| ... | ... | ... | | ... | ... | ... |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
Figure 1: Simplified example of an Access Control List including Figure 1: Simplified example of an Access Control List including
entries for two different Kind-IDs and varying delegation (ad) entries for two different Kind-IDs and varying delegation (ad)
configurations configurations
Implementations of ShaRe should be aware that the trust delegation in Implementors of ShaRe should be aware that the trust delegation in an
an Access Control List need not be loop free. Self-contained Access Control List need not be loop free. Self-contained circular
circular trust delegation from A to B and B to A are syntactically trust delegation from A to B and B to A are syntactically possible,
possible, even though not very meaningful. even though not very meaningful.
4.2. Data Structure 4.2. Data Structure
The Kind data structure for the Access Control List is defined as The Kind data structure for the Access Control List is defined as
follows: follows:
struct { struct {
/* res_name_ext is optional, see documentation */ /* res_name_ext is optional, see documentation */
ResourceNameExtension res_name_ext; ResourceNameExtension res_name_ext;
opaque to_user<0..2^16-1>; opaque to_user<0..2^16-1>;
KindId kind; KindId kind;
Boolean allow_delegation; Boolean allow_delegation;
} AccessControlListItem; } AccessControlListItem;
The AccessControlListItem structure is composed of: The AccessControlListItem structure is composed of:
res_name_ext: This optional field contains the Resource Name of a res_name_ext: This optional field contains the Resource Name of a
ResourceNameExtension (see Section 5.2) to be used by a Shared ResourceNameExtension (see Section 5.2) to be used by a Shared
Resource with variable resource name. This name serves the Resource with variable resource name. This name is used by the
storing peer for validating, whether a variable resources name storing peer for validating, whether a variable resources name
matches one of the predefined naming pattern from the matches one of the predefined naming pattern from the
configuration document for this Kind. The presence of this field configuration document for this Kind. The presence of this field
is bound to a variable resource name element in the corresponding is bound to a variable resource name element in the corresponding
kind-block of the configuration document whose "enable" attribute kind-block of the configuration document whose "enable" attribute
is set to true (see Section 5.3). Otherwise, if the "enable" is set to true (see Section 5.3). Otherwise, if the "enable"
attribute is false, the res_name_ext field SHALL NOT be present in attribute is false, the res_name_ext field SHALL NOT be present in
the Kind data structure. the Kind data structure.
to_user: This field contains the user name of the RELOAD peer that to_user: This field contains the user name of the RELOAD peer that
skipping to change at page 9, line 48 skipping to change at page 9, line 48
certificate. This is done by using a Resource Name with a variable certificate. This is done by using a Resource Name with a variable
substring that still matches the user name in the certificate using a substring that still matches the user name in the certificate using a
pattern defined in the overlay configuration document. Thus despite pattern defined in the overlay configuration document. Thus despite
being variable, an allowable Resource Name remains tied to the being variable, an allowable Resource Name remains tied to the
Owner's certificate. A sample pattern might be formed as follows. Owner's certificate. A sample pattern might be formed as follows.
Example Pattern: Example Pattern:
.*-conf-$USER@$DOMAIN .*-conf-$USER@$DOMAIN
When defining the pattern, care must be taken to avoid conflicts When defining the pattern, care must be taken to avoid conflicts
arising from two user names of witch one is a substring of the other. arising from two user names of which one is a substring of the other.
In such cases, the holder of the shorter name could threaten to block In such cases, the holder of the shorter name could threaten to block
the resources of the longer-named peer by choosing the variable part the resources of the longer-named peer by choosing the variable part
of a Resource Name to contain the entire longer user name. For of a Resource Name to contain the entire longer user name. For
example, a "*$USER" pattern would allow user EVE to define a resource example, a "*$USER" pattern would allow user EVE to define a resource
with name "STEVE" and to block the resource name for user STEVE with name "STEVE" and to block the resource name for user STEVE
through this. This problem can easily be mitigated by delimiting the through this. This problem can easily be mitigated by delimiting the
variable part of the pattern from the user name part by some fixed variable part of the pattern from the user name part by some fixed
string, that by convention is not part of a user name (e.g., the string, that by convention is not part of a user name (e.g., the
"-conf-" in the above Example). "-conf-" in the above Example).
skipping to change at page 11, line 11 skipping to change at page 11, line 11
The ResourceNameType enum and the ResourceNameExtension structure can The ResourceNameType enum and the ResourceNameExtension structure can
be extended by further Usages to define other naming schemes. be extended by further Usages to define other naming schemes.
5.3. Overlay Configuration Document Extension 5.3. Overlay Configuration Document Extension
This section extends the overlay configuration document by defining This section extends the overlay configuration document by defining
new elements for patterns relating resource names to user names. It new elements for patterns relating resource names to user names. It
is noteworthy that additional constraints on the syntax and semantic is noteworthy that additional constraints on the syntax and semantic
of names can apply according to specific Usages. For example, of names can apply according to specific Usages. For example,
Address of Record (AOR) syntax restrictions apply when using Address of Record (AOR) syntax restrictions apply when using P2PSIP
P2PSIP[I-D.ietf-p2psip-sip], while a more general naming is feasible [RFC7904], while a more general naming is feasible in plain RELOAD.
in plain RELOAD.
The <variable-resource-names> element serves as a container for one The <variable-resource-names> element serves as a container for one
or multiple <pattern> sub-elements. It is an additional parameter or multiple <pattern> sub-elements. It is an additional parameter
within the kind-block and has a boolean "enable" attribute that within the kind-block and has a boolean "enable" attribute that
indicates, if true, that the overlay provider allows variable indicates, if true, that the overlay provider allows variable
resource names for this Kind. The default value of the "enable" resource names for this Kind. The default value of the "enable"
attribute is "false". In the absence of a <variable-resource-names> attribute is "false". In the absence of a <variable-resource-names>
element for a Kind using the USER-CHAIN-ACL access policy (see element for a Kind using the USER-CHAIN-ACL access policy (see
Section 6.6), implementors MUST assume this default value. Section 6.6), implementors MUST assume this default value.
skipping to change at page 13, line 20 skipping to change at page 13, line 20
A store request by an Authorized Peer that attempts to overwrite any A store request by an Authorized Peer that attempts to overwrite any
ACL item signed by another Peer is unauthorized and causes an ACL item signed by another Peer is unauthorized and causes an
Error_Forbidden response from the Storing Peer. Such access Error_Forbidden response from the Storing Peer. Such access
conflicts could be caused by an array index collision. However, the conflicts could be caused by an array index collision. However, the
probability of a collision of two or more identical array indices probability of a collision of two or more identical array indices
will be negligibly low using the mechanism for isolating stored data will be negligibly low using the mechanism for isolating stored data
(see Section 3.1) (see Section 3.1)
6.2. Revoking Write Access 6.2. Revoking Write Access
Write permissions are revoked by storing a non-existent value Write permissions are revoked by storing a non-existent value (see
(see[RFC6940] Section 7.2.1) at the corresponding item of the Access [RFC6940] Section 7.2.1) at the corresponding item of the Access
Control List. Revoking a permission automatically invalidates all Control List. Revoking a permission automatically invalidates all
delegations performed by that user including all subsequent delegations performed by that user including all subsequent
delegations. This allows the invalidation of entire subtrees of the delegations. This allows the invalidation of entire subtrees of the
delegations tree with only a single operation. Overwriting the root delegations tree with only a single operation. Overwriting the root
item with a non-existent value of an Access List invalidates the item with a non-existent value of an Access List invalidates the
entire delegations tree. entire delegations tree.
An existing ACL item MUST only be overwritten by the user who An existing ACL item MUST only be overwritten by the user who
initially stored the corresponding entry, or by the Resource Owner initially stored the corresponding entry, or by the Resource Owner
that is allowed to overwrite all ACL items for revoking write access. that is allowed to overwrite all ACL items for revoking write access.
skipping to change at page 13, line 47 skipping to change at page 13, line 47
Access Control Lists are used to transparently validate authorization Access Control Lists are used to transparently validate authorization
of peers for writing a data value at a Shared Resource. Thereby it of peers for writing a data value at a Shared Resource. Thereby it
is assumed that the validating peer is in possession of the complete is assumed that the validating peer is in possession of the complete
and most recent ACL for a specific Resource/Kind pair. The and most recent ACL for a specific Resource/Kind pair. The
corresponding procedure consists of recursively traversing the trust corresponding procedure consists of recursively traversing the trust
delegation tree with strings compared as binary objects. It proceeds delegation tree with strings compared as binary objects. It proceeds
as follows. as follows.
1. Obtain the user name of the certificate used for signing the data 1. Obtain the user name of the certificate used for signing the data
stored at the Shared Resource. stored at the Shared Resource. This is the user who requested
the write operation.
2. Validate that an item of the corresponding ACL (i.e., for this 2. Validate that an item of the corresponding ACL (i.e., for this
Resource/Kind pair) contains a "to_user" field whose value equals Resource/Kind pair) contains a "to_user" field whose value equals
the user name obtained in step 1. If the Shared Resource under the user name obtained in step 1. If the Shared Resource under
examination is an Access Control List Kind, further validate if examination is an Access Control List Kind, further validate if
the "ad" flag is set to 1. the "ad" flag is set to 1.
3. Select the user name of the certificate that was used to sign the 3. Select the user name of the certificate that was used to sign the
ACL item obtained in step 2. ACL item obtained in the previous step.
4. Validate that an item of the corresponding ACL contains a 4. Validate that an item of the corresponding ACL contains a
"to_user" field whose value equals the user name obtained in step "to_user" field whose value equals the user name obtained in step
3. Additionally validate that the "ad" flag is set to 1. 3. Additionally validate that the "ad" flag is set to 1.
5. Repeat steps 3 and 4 until the "to_user" value is equal to the 5. Repeat steps 3 and 4 until the "to_user" value is equal to the
user name of the signer of the previously selected ACL item. user name of the signer of the ACL in the selected item. This
This final ACL item is expected to be the root item of this ACL final ACL item is expected to be the root item of this ACL which
which MUST be further validated by verifying that the root item MUST be further validated by verifying that the root item was
was signed by the owner of the ACL Resource. signed by the owner of the ACL Resource.
The trust delegation chain is valid if and only if all verification The trust delegation chain is valid if and only if all verification
steps succeed. In this case, the creator of the data value of the steps succeed. In this case, the creator of the data value of the
Shared Resource is an Authorized Peer. Shared Resource is an Authorized Peer.
Note that the ACL validation procedure can be omitted whenever the Note that the ACL validation procedure can be omitted whenever the
creator of data at a Shared Resource is the Resource Owner itself. creator of data at a Shared Resource is the Resource Owner itself.
The latter can be verified by its public key certificate as defined The latter can be verified by its public key certificate as defined
in Section 6.6. in Section 6.6.
6.4. Operations of Storing Peers 6.4. Operations of Storing Peers
Storing peers at which Shared Resource and ACL are physically stored, Storing peers, at which Shared Resource and ACL are physically
are responsible for controlling storage attempts to a Shared Resource stored, are responsible for controlling storage attempts to a Shared
and its corresponding Access Control List. To assert the USER-CHAIN- Resource and its corresponding Access Control List. To assert the
ACL access policy (see Section 6.6), a storing peer MUST perform the USER-CHAIN-ACL access policy (see Section 6.6), a storing peer MUST
access validation procedure described in Section 6.3 on any incoming perform the access validation procedure described in Section 6.3 on
store request using the most recent Access Control List for every any incoming store request using the most recent Access Control List
Kind that uses the USER-CHAIN-ACL policy. It SHALL further ensure for every Kind that uses the USER-CHAIN-ACL policy. It SHALL further
that only the Resource Owner stores new ACL root items for Shared ensure that only the Resource Owner stores new ACL root items for
Resources. Shared Resources.
6.5. Operations of Accessing Peers 6.5. Operations of Accessing Peers
Accessing peers, i.e., peers that fetch a Shared Resource, MAY Accessing peers, i.e., peers that fetch a Shared Resource, can
validate that the originator of a Shared Resource was authorized to validate that the originator of a Shared Resource was authorized to
store data at this Resource-ID by processing the corresponding ACL. store data at this Resource-ID by processing the corresponding ACL.
To enable an accessing peer to perform the access validation To enable an accessing peer to perform the access validation
procedure described in Section 6.3, it first needs to obtain the most procedure described in Section 6.3, it first needs to obtain the most
recent Access Control List in the following way. recent Access Control List in the following way.
1. Send a Stat request to the Resource-ID of the Shared Resource to 1. Send a Stat request to the Resource-ID of the Shared Resource to
obtain all array indexes of stored ACL Kinds (as per [RFC6940], obtain all array indexes of stored ACL Kinds (as per [RFC6940],
Section 7.4.3.) Section 7.4.3.)
skipping to change at page 15, line 29 skipping to change at page 15, line 29
This document specifies an additional access control policy to the This document specifies an additional access control policy to the
RELOAD base document [RFC6940]. The USER-CHAIN-ACL policy allows RELOAD base document [RFC6940]. The USER-CHAIN-ACL policy allows
Authorized Peers to write a Shared Resource, even though they do not Authorized Peers to write a Shared Resource, even though they do not
own the corresponding certificate. Additionally, the USER-CHAIN-ACL own the corresponding certificate. Additionally, the USER-CHAIN-ACL
allows the storage of Kinds with a variable resource name that are allows the storage of Kinds with a variable resource name that are
following one of the specified naming pattern. Hence, on an inbound following one of the specified naming pattern. Hence, on an inbound
store request on a Kind that uses the USER-CHAIN-ACL access policy, store request on a Kind that uses the USER-CHAIN-ACL access policy,
the following rules MUST be applied: the following rules MUST be applied:
In the USER-CHAIN-ACL policy, a given value MUST be written or In the USER-CHAIN-ACL policy, a given value MUST NOT be written or
overwritten, if either one of USER-MATCH or USER-NODE-MATCH overwritten, if neither one of USER-MATCH or USER-NODE-MATCH
(mandatory if the data model is dictionary) access policies of the (mandatory if the data model is dictionary) access policies of the
base document [RFC6940] applies. base document [RFC6940] applies.
Otherwise, the value MUST be written if the certificate of the signer Additionally, the store request MUST be denied if the certificate of
contains a user name that matches to the user and domain portion in the signer does not contain a user name that matches to the user and
one of the variable resource name patterns (c.f. Section 5) domain portion in one of the variable resource name patterns (c.f.
specified in the configuration document and, additionally, the hashed Section 5) specified in the configuration document or if the hashed
Resource Name matches the Resource-ID. The Resource Name of the Kind Resource Name does not match the Resource-ID. The Resource Name of
to be stored MUST be taken from the mandatory ResourceNameExtension the Kind to be stored MUST be taken from the mandatory
field in the corresponding Kind data structure. ResourceNameExtension field in the corresponding Kind data structure.
Otherwise, the value MUST be written if the ACL validation procedure The store request MUST also be denied, if the access rights cannot be
described in Section 6.3 has been successfully applied. verified according to the ACL validation procedure described in
Section 6.3.
Otherwise, the store request MUST be denied. Otherwise, the store request can be processed further.
7. ACCESS-CONTROL-LIST Kind Definition 7. ACCESS-CONTROL-LIST Kind Definition
This section defines the ACCESS-CONTROL-LIST Kind previously This section defines the ACCESS-CONTROL-LIST Kind previously
described in this document. described in this document.
Name: ACCESS-CONTROL-LIST Name: ACCESS-CONTROL-LIST
Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the
Resource Name of the Kind that will be shared by using the ACCESS- Resource Name of the Kind that will be shared by using the ACCESS-
CONTROL-LIST Kind. CONTROL-LIST Kind.
Data Model: The data model for the ACCESS-CONTROL-LIST Kind-ID is Data Model: The data model for the ACCESS-CONTROL-LIST Kind-ID is
array. The array indexes are formed by using the mechanism for array. The array indexes are formed by using the mechanism for
isolated stored data as described in Section 3.1 isolated stored data as described in Section 3.1
Access Control: USER-CHAIN-ACL (see Section 6.6) Access Control: USER-CHAIN-ACL (see Section 6.6)
skipping to change at page 18, line 47 skipping to change at page 18, line 47
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<http://www.rfc-editor.org/info/rfc3688>. <http://www.rfc-editor.org/info/rfc3688>.
[RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S., [RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S.,
and H. Schulzrinne, "REsource LOcation And Discovery and H. Schulzrinne, "REsource LOcation And Discovery
(RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940, (RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940,
January 2014, <http://www.rfc-editor.org/info/rfc6940>. January 2014, <http://www.rfc-editor.org/info/rfc6940>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-p2psip-sip]
Jennings, C., Lowekamp, B., Rescorla, E., Baset, S.,
Schulzrinne, H., and T. Schmidt, "A SIP Usage for RELOAD",
draft-ietf-p2psip-sip-21 (work in progress), April 2016.
[RFC7890] Bryan, D., Matthews, P., Shim, E., Willis, D., and S. [RFC7890] Bryan, D., Matthews, P., Shim, E., Willis, D., and S.
Dawkins, "Concepts and Terminology for Peer-to-Peer SIP Dawkins, "Concepts and Terminology for Peer-to-Peer SIP
(P2PSIP)", RFC 7890, DOI 10.17487/RFC7890, June 2016, (P2PSIP)", RFC 7890, DOI 10.17487/RFC7890, June 2016,
<http://www.rfc-editor.org/info/rfc7890>. <http://www.rfc-editor.org/info/rfc7890>.
[RFC7904] Jennings, C., Lowekamp, B., Rescorla, E., Baset, S.,
Schulzrinne, H., and T. Schmidt, Ed., "A SIP Usage for
REsource LOcation And Discovery (RELOAD)", RFC 7904,
DOI 10.17487/RFC7904, October 2016,
<http://www.rfc-editor.org/info/rfc7904>.
Acknowledgments Acknowledgments
This work was stimulated by fruitful discussions in the P2PSIP This work was stimulated by fruitful discussions in the P2PSIP
working group and the SAM research group. We would like to thank all working group and the SAM research group. We would like to thank all
active members for constructive thoughts and feedback. In active members for constructive thoughts and feedback. In
particular, the authors would like to thank (in alphabetical order) particular, the authors would like to thank (in alphabetical order)
Emmanuel Baccelli, Alissa Cooper, Lothar Grimm, Russ Housley, Cullen Emmanuel Baccelli, Ben Campbell, Alissa Cooper, Lothar Grimm, Russ
Jennings, Peter Musgrave, Joerg Ott, Marc Petit-Huguenin, Peter Housley, Cullen Jennings, Matt Miller, Peter Musgrave, Joerg Ott,
Pogrzeba, and Jan Seedorf. This work was partly funded by the German Marc Petit-Huguenin, Peter Pogrzeba, and Jan Seedorf. This work was
Federal Ministry of Education and Research, projects HAMcast, partly funded by the German Federal Ministry of Education and
Mindstone, and SAFEST. Research, projects HAMcast, Mindstone, and SAFEST.
Authors' Addresses Authors' Addresses
Alexander Knauf Alexander Knauf
HAW Hamburg HAW Hamburg
Berliner Tor 7 Berliner Tor 7
Hamburg D-20099 Hamburg D-20099
Germany Germany
Phone: +4940428758067 Phone: +4940428758067
 End of changes. 28 change blocks. 
70 lines changed or deleted 73 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/