Re: [abfab] Review of draft-ietf-abfab-aaa-saml-09
Sam Hartman <hartmans@painless-security.com> Wed, 13 August 2014 13:45 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 721C41A01EF for <abfab@ietfa.amsl.com>; Wed, 13 Aug 2014 06:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttq3haoTxjHf for <abfab@ietfa.amsl.com>; Wed, 13 Aug 2014 06:45:51 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE001A01A8 for <abfab@ietf.org>; Wed, 13 Aug 2014 06:45:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id D3F6B20178; Wed, 13 Aug 2014 09:42:32 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iRuOLI6nS0iX; Wed, 13 Aug 2014 09:42:32 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [172.56.37.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 13 Aug 2014 09:42:32 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id CE3D28111F; Wed, 13 Aug 2014 09:45:47 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: tshields <tshields@jive.com>
References: <53EAD86D.105@jive.com>
Date: Wed, 13 Aug 2014 09:45:47 -0400
In-Reply-To: <53EAD86D.105@jive.com> (tshields@jive.com's message of "Tue, 12 Aug 2014 21:15:57 -0600")
Message-ID: <tsly4usfqpg.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/abfab/84MziKqMtyKQeAfce7-p8LyLnFk
Cc: abfab@ietf.org, hartmans-ietf@mit.edu
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-09
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2014 13:45:54 -0000
>>>>> "tshields" == tshields <tshields@jive.com> writes: Hi. most of your comments were editorial wording comments and can be addressed in editing the document. We appreciate both the editorial comments and the more technical comments I'm responding to in this message. tshields> Section 5.3.2, Paragraph 2 and Paragraph 4 >> The following methods are sufficient: >> >> o NAS identity in trusted digitally signed request. >> >> o NAS identity in trusted SAML federation metadata. >> The following methods are sufficient: >> >> o RADIUS realm in trusted digitally signed request. >> >> o RADIUS realm in trusted SAML federation metadata. tshields> The wording here makes it unclear whether one of these tshields> alone is sufficient or whether both are tshields> required. Rewording to say something like "Satisfying the tshields> following two conditions is sufficient:" is more clear. Sticking the information either in metadata or in the SAML message is sufficient, both is not required. tshields> Section 7.4.3, Bullet 3 >> If a <saml:AuthnStatement> used to establish a security context >> for the Principal contains a SessionNotOnOrAfter attribute, the >> security context SHOULD be discarded once this time is reached, >> unless the service provider reestablishes the Principal's >> identity by repeating the use of this profile. tshields> Why is this a SHOULD and not a MUST? If it is a SHOULD tshields> merely to allow for the situation described above (where tshields> the service provider reestablishes the identity), then it tshields> actually should be a MUST. "The security context MUST be tshields> discarded unless the service provider reestablishes the tshields> Principal's identity" is a perfectly sound requirement. Well, we've found in the GSS community that the user experience of ending some sorts of sessions prematurely is sufficiently bad that everyone has gone out of their way not to do it. For example if you're in the middle of downloading a file, it's far better to finish that than to kill your session because it reached an authentication time out. We're hoping to make the text in this draft consistent with what people will do rather than an ideal that would break stuff. The Kerberos community went through a lot of pain convincing themselves to do this over the years, and so that's where we're taking this from. It's certainly something that we can discuss if we think our requirements are different.