Re: [abfab] Direction Forward for aaa-saml

"Cantor, Scott" <cantor.2@osu.edu> Wed, 22 July 2015 14:57 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3607C1A0018 for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CWpvFRDn9fiu for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:57:44 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0788.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::788]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8032C1A0011 for <abfab@ietf.org>; Wed, 22 Jul 2015 07:57:44 -0700 (PDT)
Received: from BN1AFFO11FD043.protection.gbl (10.58.52.33) by BN1AFFO11HUB045.protection.gbl (10.58.52.156) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 14:57:39 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu;
Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BN1AFFO11FD043.mail.protection.outlook.com (10.58.52.190) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 14:57:39 +0000
Received: from CIO-KRC-HT03.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id BF56450006E; Wed, 22 Jul 2015 10:57:38 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT03.osuad.osu.edu ([fe80::b12f:aa15:1901:8bcc%10]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 10:57:37 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Sam Hartman <hartmans@painless-security.com>
Thread-Topic: [abfab] Direction Forward for aaa-saml
Thread-Index: AQHQxIyIqOsHJ1Kgwk2OrlaTR/AXL53nlGWA
Date: Wed, 22 Jul 2015 14:57:37 +0000
Message-ID: <712A6A74-F5D5-4297-8E75-CA0ADDE6FE20@osu.edu>
References: <tslwpxsy0ql.fsf@mit.edu> <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <tsloaj4xzvr.fsf@mit.edu> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <tsl7fpsxrve.fsf@mit.edu> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <tslio9cw8yd.fsf@mit.edu>
In-Reply-To: <tslio9cw8yd.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [75.179.164.143]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9AA9463336081041864F4627290CC31D@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD043; 1:NYVhOoKIVRHpcuVAf7T2efCpxU4iKEJS6usCXjgF+rqhme/nO9XtDxcPV7RkPFMTD3yFZ5jzE3s0VJJd61sLuCHFcn+X3m3B0z37EnXvVN38oSV+jQsK/jLrll/K2MxIWCtHAfnN0abNDDAPR9fFYsXReZvyV/QfB9cHxYPPycuRoYZ+j2m6Gmlh9fK7wmPgJnbsfnTq3AnJtEcc+z3S7lXtYpgzbGiBbXAT4DDU9ZApq4nQrTf3NFEzwXkdP7fHL/n2zI63GJjLfQdVbcDWFMIgUX0xoyj8qZ5bbPBRVFQ1srcxDCJ8GGo8FMcpDTgJvaf2pFgwS7pCfdvt1MLyIVyyVbdFWu4KF/mpNSD2kSwPO9Xzg7pQYe2aU5pt4fSDkcTqOnFActiiVgVRD9cpZrExYq5h8Wkp7P5GghwvFoE=
X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(24454002)(479174004)(199003)(189002)(377454003)(189998001)(54356999)(92566002)(47776003)(109096001)(2950100001)(75432002)(36756003)(23676002)(33656002)(86362001)(110136002)(66066001)(46102003)(102836002)(2900100001)(88552001)(50986999)(89122001)(62966003)(77156002)(76176999)(50466002)(82746002)(2656002)(19580405001)(106116001)(93886004)(87936001)(6806004)(19580395003)(93346002)(90282001)(5003600100002)(5250100002)(83716003)(106466001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1AFFO11HUB045; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 2:poIdLW25liWUxSnc2LKPi/IvfG2e7K2X98z05M6ze9JOii9cubZ2VVHFUOW8eKZw; 3:Zq0u8BNa0bw9Vfyxf/ckYeiOQtCze5eHTjnOyM6F7gt2L524X4K6GdTGhfE6qt05WnBENugHzNJIKBza1D64NK3Vg6op/WFxt6XFKM8b1b5Z1tgzuOmYR+yIzDbu8LL4Ei2/qWCjIUx+w6XAHhnAEOeM6pC9CKPG/imSbR4RYYWdX6PApnmIT/ikQex9/d2HKA4pTF7Iqhj19VsSX3nkp3CRPbkTwb2EC/Auawg+AwPmBoA500pHPdxK2hxMvXjg; 25:kxzdGoowu83IM4f2Yg0dqd2DaP8WD4rhmq4kr6mcwORs/DsMqYX9uDzY9uVTLe1PKWH9aFMC3Xw03KTD5FQuU5WxD9RoQCJrEpwLcdpoLeXHulNWMOp57W45IVkjI5PpG9CoJdPeER231B4RetDKLJSvs8f9mFByhj2g0yluTdT77qg/5RQ07YB3zgu1rb+l8mpONiwPdl9cXAvIkebknWpSX6ZyIO3qYHFyww3IS0d6rmF32zsmWmJBWOVk5Nf/pJsGNBDh4KmAh9raPuCPYg==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1AFFO11HUB045;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 20:EN1umLsO23P+T6h/37v0+DIrk6KXr1x0trfKnk4DYgSSNamOdcx/OUTwnxIxEwbch7E/dhpAttfVJUEfHJz+g5M3/YTs/CGzjSSAtvhQtlK9hKuyweiQQAAku8YxnN1EXHWtSR/vHBd5w8PUS+BI+sKJ4YJHY9tfioCp1T+D3uCv9ehIw0GWR1Y41CDNP9tS7nPUPjvpZWvn2DjErOTjDUbNTVBxgIP8Yo0HSaFu10ai6kRkVnxOK45BLvKCTVhFylcDZ3tMtkrOvtf4me88cnfii6C4nyYj4mngOsLwmLhU5kpJ7J1EGWjba6smEoAGBfcfa1H8rLY2EvPvkEibKW7R1mXItaAnwK5Kl9UlO4jfJ1eDxtqiUN92S00iBarj/bF3NqhTDLu2/YjPrZAPuNWjJ9eCznmTaQEWocUUr8ry8FwCuoIHqBzP6zU5ix17XgNXp6FtxKWHwcLyXC114G4tu8I95liLimKunqOvNqK5ECc9eiPCVbXoT00RLNZA; 4:fjMlv7Re3sqYltT73eNM9gXm7B3y7fdwec7tToM9A2J2azxhbpeP5NNXWtljb4GqkRlp8pcqZAiUy6RjNoZtvNwDGhQwh4jTIWFRoGCxOJST0VgPzUSdnXM7EAPSjQBA44AoZCHnwFw1GMscIVE+7rykstkzBcQs64T7kszL8U663QdQ/oCskzROlJABuExFzRn2qUseVNZl4SZ27A8SC1CCXbutkUkzq5W47o6KUmMPZW1g9KVnjR1Wp+0/grTDUWC0wC7t8xlpFuTNOnchn37UWIz/dlmWUGsIZl1IO5w=
BN1AFFO11HUB045: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <BN1AFFO11HUB04520B7CE90D3E6EB293C70D0830@BN1AFFO11HUB045.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BN1AFFO11HUB045; BCL:0; PCL:0; RULEID:; SRVR:BN1AFFO11HUB045;
X-Forefront-PRVS: 0645BEB7AA
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjFBRkZPMTFIVUIwNDU7MjM6REJGb0lpcjBGT3ZtelpDMWZSQ3BySjVE?= =?utf-8?B?dTB0SlIyWE9nU2lmTFltcXhtaU5HV0c3eDRxb2NUYWtUZk51U2VCRE1LN3U3?= =?utf-8?B?T1VXanZKc2NqVXZ0OGNzR1ZZYnV1MGpEbWlDdE1kYUZmajBkMk5URitzWlhk?= =?utf-8?B?bHdPaUhGM214QTdGclZBZkQwM1RseHAxRGNQV1BIdVM1TGFwY1pvNmFFdHIr?= =?utf-8?B?ZnJIYmFTYzNwZlRGbHFkd2tDemlnVmpzK3VxRUlpWkoxd2MxVUd2b2VTajFI?= =?utf-8?B?ZEtTUU1XalVucHk2TVVLZ0lXWG9sNEU5alNMSWdtT3d1Qm44bjFaQnJ2ZVFN?= =?utf-8?B?S0c3MHJxUW9nYkdYSnc5ZmwzLzZRUzlvUkV6c3QyTVhNQXVFZ1pJdWttY21D?= =?utf-8?B?WDVLVUJWUW9TdmM2SFZYUUx6SW52VVZicHJjMmZxL2t2Sm1XZjM2eWF3M2Nx?= =?utf-8?B?VnorNEdkWWdzWWlySTJra2R5ampQRURxbmw2a3RoRjU2RTJ3L2IyM2YrOU9J?= =?utf-8?B?MkRuYS9BVzJTbFVPQWhYSldQaGw2Z1ludCtmODh4Tit1MjBrU2RHTkl3SjBP?= =?utf-8?B?ekZlWHZsWkkrUE5ZWWNPVUxyWW5ROXdzcURudTFtcVFTcXNyQkZmNlplWUJL?= =?utf-8?B?alNveHpHYlI4L1hiYnJZb0psM0Z4MExaNGt4SWJmT3pIeDIxODFhU1k5MnlL?= =?utf-8?B?SlNIUnRWWXBIczZ5azk2MVBJQnp5OXRZemxyQzhwZ00ydGt4OHM2RDFlWnVr?= =?utf-8?B?RTlHZWJjeVBOYjMwRm55cFVuNDlKUm1kK09GUWlFUGtCb0JZZC9ydWZybGhx?= =?utf-8?B?NWZzamZHVGtVdThlUE1pMzNsc3BLRVhHbWUrTmhINDh3M3ZURGw2VHdUYytr?= =?utf-8?B?QzdLd3JCQXJPdDFjL3JiSHBBTUgzdCtMVVIvMDJ5bHBYZXBydDZyMkJWMFlW?= =?utf-8?B?UTZ3L0o4QjlqVExncHBwMGN3NDNiZnY5SWdBYmNFK042QzA2V3Z1ZDBydEpH?= =?utf-8?B?aXFSeUdORUhmWjBLd1VYSjdjQ3dwcU9IMXhHUUJzRVNCTGxtTFpyNTFqQlBE?= =?utf-8?B?WWUyekh2a0R5L1Z4WmdOcEZuUGE5bmorcTYzcHJmKzdpZE9CWHh2THozMVRk?= =?utf-8?B?NkZMR2doN0haK0thRzFlL3hab3ZzQXBENDlycWp0K0l1eGF3eE83bkN1VWRO?= =?utf-8?B?dmxmTWxIWVhBS3lEYUJUR25uU2Q4MXJWV0g0YTlWelRNaEh2THNROHVNM2VJ?= =?utf-8?B?S3JsYTBrRmVFaVQzYkYxc3gvMWxpUThjQmd2QlZKRDZBL1ZsT094TlB3UDgy?= =?utf-8?B?Z3VzUTVZQTF3eUk3aTA1ekhjOWFnZ0VGSkYwYjZFZDRHMUp6Q3V5eGdQY1c5?= =?utf-8?B?bU5UR2xObXJwZGVubHlabzlVWSswSmEwWmFhMEFNRmRzTVZoWHAvNzNqUWlr?= =?utf-8?B?SEVMRFFRM2gyVDc1U1BjSUE0cUZYN3Y2WjhseHlXL2dUNFVJaEdPVkRsZWVl?= =?utf-8?B?UVVYT0taZDA4ckh3VloxZ2I1amZQbTUzdlVoVHNyOGk4TTNQZ2taK1plSC83?= =?utf-8?B?c1M4THpBN0JCMlFXdlhOQnpPUE1CeUoyZz09?=
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 5:bVjtaXP3QZvbMlUNHPSFIctAVTXvtEGoKkPGC/D+RDU1znkbs3YNMqyt06MVbAKR2RajVhfKr8rIZISQyXzsZYFL15m6xUiF6maDNOl7KeFaG+A5m473w0eLNEYqBXb6HNUoTfnCMxFjwZhbwAxDwA==; 24:fVGE87bax3GGsNqicwDt5agv3ATAjp7QuRLtdeR6VKfPsOD0SavRnLj2W4aVfLeUt9Ro+ZUQ7Nhc/wgLEfueJEBFUPJzFMNcHRg25YIEsRY=
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 14:57:39.3779 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1AFFO11HUB045
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/2TKXSraKFDC-9Kh2FE7YBHtomeQ>
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Direction Forward for aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 14:57:46 -0000

On 7/22/15, 10:41 AM, "Sam Hartman" <hartmans@painless-security.com> wrote:


>
>    Cantor,> That's orthogonal to any use of SAML metadata. How you get
>    Cantor,> it (and verify it) is architecturally distinct from what it
>    Cantor,> means and how it's used.
>
>Not really.
>If I'm starting with  an NAI realm and would like to find the entity
>description of an entity that is at that NAI realm, I can only do that
>if my metadata access mechanism lets me search by that.

Even if you had all the metadata in the world, you'd still have to index it and search by something other than entityID.

I don't really know what an NAI realm is, but if it's anything like a domain, there's a pretty long-standing issue that there's never been a way to map domains to SAML metadata since putting things in DNS was always off the table (thanks to the joy of working with DNS admins). It's been a general assumption of mine that at some point that would need to change to address discovery in a world where you can't just load giant lists of IdPs. So perhaps there's a general here that can finally be tackled.

-- Scott