Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10

"Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> Thu, 19 February 2015 09:17 UTC

Return-Path: <kwiereng@cisco.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 967FB1A8967 for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 01:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUPEJdDXZ8Td for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 01:16:59 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9981A894C for <abfab@ietf.org>; Thu, 19 Feb 2015 01:16:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1621; q=dns/txt; s=iport; t=1424337418; x=1425547018; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=88AW7UOqQJSJCh0rrvFDyX4CuckIDSy3PlALD+1/Vl0=; b=MegiRpZc594F+rBLrCvp558JJ4/9hZN4t1uSF6jC/Fms/MkpfYf4VK6F TKRfuvArvsAGXUAkaFHFRwdaFfuHPLM7Kl1FPX/jwunM89ybRr8vdOV32 huEoXOuOv9Iu4Tfu9f/73RLKnEKiZUt+u6v3NIj9QM2IAqDJIMQX4K8FF g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CUBQCcqeVU/4YNJK1bgwaBLATAQYgbAoEXQwEBAQEBAXyEDAEBAQMBeQULAgEIEgYuMhcOAgQOBYgnCNJXAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4sPhDszB4MWgRQBBI9EiT+TFyKCAhyBUG+BRH8BAQE
X-IronPort-AV: E=Sophos;i="5.09,607,1418083200"; d="scan'208";a="125001083"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-6.cisco.com with ESMTP; 19 Feb 2015 09:16:58 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t1J9GwYe019716 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 19 Feb 2015 09:16:58 GMT
Received: from xmb-aln-x12.cisco.com ([169.254.7.223]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0195.001; Thu, 19 Feb 2015 03:16:57 -0600
From: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
To: Leif Johansson <leifj@sunet.se>
Thread-Topic: [abfab] Review of draft-ietf-abfab-aaa-saml-10
Thread-Index: AQHQSwQiq5cBLnmLkEahigu2n+aVb5z4AuWAgAAPrYCAAAWWgA==
Date: Thu, 19 Feb 2015 09:16:57 +0000
Message-ID: <B1F69288-3FCF-43F0-A0B9-946F5557875D@cisco.com>
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es> <54E5A557.3090603@sunet.se>
In-Reply-To: <54E5A557.3090603@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.103.180]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C2D6A7F93DD15E4B915166E972C1BD8A@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/Crky4kJSSuEEvdETiD6SAqwhkmE>
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 09:17:03 -0000


> On 19 Feb 2015, at 09:56, Leif Johansson <leifj@sunet.se> wrote:
> 
> On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
>> Hi Sam,
>> 
>> thanks for the review. See my comments below.
>> 
>> El 17/02/15 a las 23:49, Sam Hartman escribió:
>>> 
>>> Section 4:
>>> 
>>> I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
>>> Current text says recommended.
>> 
>> Whereas version -09 stated once (in section 5.2) that the use of TLS was
>> REQUIRED, along the rest of text it indicated several times this support
>> as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them
>> to the prevailing one.
>> 
>> Nevertheless, I think that making TLS a MUST might be limiting. There
>> might be some use case scenarios for this profile where using TLS is not
>> actually required (e.g. other security mechanisms apply). I would see
>> that kind of requirement more for the ABFAB architecture level than for
>> this I-D level. Moreover, in the saml-profiles-2.0-os document, the use
>> of TLS is indicated as RECOMMENDED.
> 
> Speaking as an individual I don't think there are any sane reasons not
> to use TLS if you relax the requirements on credentials administration
> (eg run oportunistic TLS). Having said that I think probably RECOMMENDED
> is strong enough anyway.

speaking as another individual, you could go the route that other drafts have taken and say something like:

TLS is REQUIRED unless alternative methods are used to ensure confidentiality like IPSEC tunnels or a sufficiently secure internal network.

Klaas