Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
Leif Johansson <leifj@sunet.se> Thu, 19 February 2015 08:57 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 678A11A8930
for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 00:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yFaBje0RqJOL for <abfab@ietfa.amsl.com>;
Thu, 19 Feb 2015 00:57:03 -0800 (PST)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se
[IPv6:2001:6b0:8:2::201])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2F6251A892A
for <abfab@ietf.org>; Thu, 19 Feb 2015 00:57:03 -0800 (PST)
Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214])
by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id
t1J8v0L4022827
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
for <abfab@ietf.org>; Thu, 19 Feb 2015 09:57:00 +0100
Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210])
by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t1J8uvlH018768
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <abfab@ietf.org>; Thu, 19 Feb 2015 09:57:00 +0100 (CET)
VBR-Info: md=sunet.se; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default;
t=1424336220; bh=Yj7adLN6XuKj0NPHvFRMg3g2Yebnlig5w2Cq7XqD1So=;
h=Date:From:To:Subject:References:In-Reply-To;
b=32zV8V3pRyvg33DsGMPiwSoxzWeMCgjCqi5iVK7bFlyZ9RkutcHVZ1yTpn3zSxkZV
y2wfmkdbt+EYm7zTp3tWB40f8iHyLmwK9P9xdaAFboYksCtZATz0e6USC6vhIhK4hH
KysOnpwy5cEEiBwHRUBhqlr2gty37hgGo1HfcYVU=
X-Footer: c3VuZXQuc2U=
Received: from [193.10.95.116] ([193.10.95.116])
(authenticated user leifj@sunet.se)
by kerio.sunet.se (Kerio Connect 8.3.4 patch 1)
(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits))
for abfab@ietf.org; Thu, 19 Feb 2015 09:56:56 +0100
Message-ID: <54E5A557.3090603@sunet.se>
Date: Thu, 19 Feb 2015 09:56:55 +0100
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: abfab@ietf.org
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es>
In-Reply-To: <54E59831.10108@um.es>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default,
sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686;
http://maps.google.com/maps?q=59.3294,18.0686&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from
outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09NS8V0vK - 53061222727f - 20150219
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither
permitted nor denied by domain leifj@sunet.se)
receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210;
envelope-from=<leifj@sunet.se>; helo=smtp1.sunet.se;
identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/4lgVTeytkG5tmlMR4LHRFY3knDA>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging,
Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>,
<mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>,
<mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 08:57:05 -0000
On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote: > Hi Sam, > > thanks for the review. See my comments below. > > El 17/02/15 a las 23:49, Sam Hartman escribió: >> >> Section 4: >> >> I thought we were going to make RADIUS over TLS a MUST not a SHOULD. >> Current text says recommended. > > Whereas version -09 stated once (in section 5.2) that the use of TLS was > REQUIRED, along the rest of text it indicated several times this support > as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them > to the prevailing one. > > Nevertheless, I think that making TLS a MUST might be limiting. There > might be some use case scenarios for this profile where using TLS is not > actually required (e.g. other security mechanisms apply). I would see > that kind of requirement more for the ABFAB architecture level than for > this I-D level. Moreover, in the saml-profiles-2.0-os document, the use > of TLS is indicated as RECOMMENDED. Speaking as an individual I don't think there are any sane reasons not to use TLS if you relax the requirements on credentials administration (eg run oportunistic TLS). Having said that I think probably RECOMMENDED is strong enough anyway. > >> >> Section 6.3.3: >> >> I would like to state for the record that I believe interlinking the >> SAML and EAP authentications to permit the SAML request to affect things >> like TLS resumption and authentication freshness is problematic and >> will lead to implementation failures (or simply be ignored). >> >> I would prefer we not take that approach. However the sense of the room >> was against me when this was last discussed. >> I do think an explicit consensus call by chairs if we have not already >> made such a call would be valuable. I expect that it's likely I'm in >> the rough. > > I'm ok with such a call, but I'd like to know more about the problems > you would expect. > As I see it, if the IdP cannot/won't address the constraints called in > the AuthnRequest message, it MUST (SHOULD perhaps?) generate an > authentication error. I can make such a call if we have a clear enough statement to call consensus on. MVH leifj
- [abfab] Review of draft-ietf-abfab-aaa-saml-10 Sam Hartman
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Leif Johansson
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Klaas Wierenga (kwiereng)
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez