IETF Logo Mail Archive

[abfab] Comments on draft-smith-abfab-usability-ui-considerations-03

"Jim Schaad" <ietf@augustcellars.com> Fri, 01 March 2013 18:23 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2E5121F93BE for <abfab@ietfa.amsl.com>; Fri, 1 Mar 2013 10:23:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqauirEEM22R for <abfab@ietfa.amsl.com>; Fri, 1 Mar 2013 10:22:58 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id A267421F93BD for <abfab@ietf.org>; Fri, 1 Mar 2013 10:22:57 -0800 (PST)
Received: from Philemon (75-148-161-130-Houston.hfc.comcastbusiness.net [75.148.161.130]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id A58632C9BE; Fri, 1 Mar 2013 10:22:31 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: smith@Cardiff.ac.uk
Date: Fri, 01 Mar 2013 12:21:51 -0600
Message-ID: <03a101ce16a9$ab322f40$01968dc0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4WjMgOr398ifT8RQCjlSNQwR6FpQ==
Content-Language: en-us
Cc: abfab@ietf.org
Subject: [abfab] Comments on draft-smith-abfab-usability-ui-considerations-03
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2013 18:23:05 -0000

Rhys,

1.  Terminology - Bullet #1 - s/which they have an organization/which they
have an association/

2. Terminology -  Move NAI before Identity to deal with problem of expand on
first use.

3.  Terminology - Bullet # 2 - Message sentence with the "and".  I mis-read
it the first time as the GSS-API would do the mapping rather than the
identity selector.

4.   Section 4- Context - s/user to user/user to use/

5. Section 4 - Context - In the first bullet - I think you want to say that
this is a GSS-API implementation specific file and not an application
specific file.  The term application is overloaded with the application that
the user is using to talk to the service.

6.  Section 6.1 - Is the issuing organization always going to be derivable
from the NAI of the user?  Under what circumstances would this not be the
case?

7.  Section 6.2.2. - Implies either a lot of different ways or some standard
way being created to do this.  This needs to be made clearer that there is
going to be an association between the implementation of ABFAB, the UI and
the IDP service.

8.  Section 6.4  - bullet #2 - s/the identity provisioned/the identity
automatically provisioned/

9.  Section 7 - add new section - Server identification.  There are a number
of different ways that services can be identified.  The name of the service,
the name of the server, parameters that are included in the service (for
example the account that I am going to use to send mail), or some
combination of the above.

10 Section 7 - Identity selection by calling application rather than GSS-API

11 Section 7 - last paragraph - last sentence - should this be an
"automatic" option on some types of authentication failures?

12.  Section 7.3 - why should the association only be doable after
authentication?  Esp for manual authentications.

13.  Section 7.3.1 - It would be beneficial to list the types of things that
are selections.  I don't know that it is necessary to know the realm in all
cases.

14.  Section 7.3.1 - User-driven - on demand associations - Pop up a
selection dialog box when you are trying to get to a service you have never
seen before.

15.  Section 8 - should applications attempt to use multiple names if there
are multiple names associated with the service.  Need to discuss possible
privacy implications of this approach in terms of association of multiple
names together.



Import/Export of credentials
Password protect the store - not the same as password used for the IDP
Credentials that are "pluggable" - that may or may not be present on the
machine

v2.23.0 | Report a Bug | By Email