[Css-csts] Issues regarding level of authentication and credentials alogorithms for transfer services

[John Pietras]

SMWG and CSTSWG colleagues ---

In performing an analysis of all of the managed parameters needed for
the MD-CSTS and TD-CSTS, I came across the following paragraphs in the
latest draft of the CSTS Specification Framework:

 

3.2.4.2     Complex Management and Utilization Management shall agree on
the level of authentication to be required for an association between a
Service User and a Service Provider and shall configure both entities
accordingly.

 

3.2.4.3     Complex Management and Utilization Management shall agree on
the algorithm used to generate and check credentials parameters and
shall make this algorithm known to the Service User and Service Provider
together with associated parameters such as passwords or keys as
necessary for the selected algorithm.

 

Similar  (service-specific) statements appear in each of the SLE
transfer service specifcations. These requirements have impacts on the
CSTS Framework, the SLE transfer service specification, and SCCS-SM. 

 

Regarding the CSTS Framework, these requirements are not reflected in
the tables in annex H, "Interactions with Management", an should they
probably should. I don't think this is important enough to delay Red-1,
but it should be RIDded. 

 

Regarding the SLE transfer service specification, every specification
has a table 3-1 that includes (among other things) the parameters that
are to be configured via Service Management. Authentication level and
identification of the credentails algorithm to be used should be added
to table 3-1.  (Unfortunately, the SLE books have just been reissued, so
it may be awhile before these updates are made.)

 

Regarding the Service Management specification, there is no mention of
the authencation level in Blue-1. It should be added in Blue-2. The
question is whether it should be specified on a per-service-instance
basis, or on a Service Agreement basis (that is, the same authentical
level applies to all transfer serivce instances within the context of a
Service Agreement). 

 

Regarding credentials generation, section 1.3.5 (LIMITATIONS,
CONSTRAINTS, EXCLUSIONS AND QUALIFICATIONS) of the SCCS-SM Blue-1
specification states "This Recommended Standard does not address the
mechanism for exchanging authentication and access control information
associated with the creation of transfer service credentials". This
"covers" us as far as the SCCS-SM specification is concerned, but begs
the question of how such information *is* exchanged. Do we need a
standard method for such exchanges, or is leaving it bilaterally
determined okay for now?

 

Best regards,

John

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/css-csts/attachments/20100527/8f06afcf/attachment.html