IETF Logo Mail Archive

Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10

Alejandro Perez Mendez <alex@um.es> Thu, 19 February 2015 08:00 UTC

Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A241A88C2 for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 00:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBR8rOaY0ewd for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 00:00:55 -0800 (PST)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id DC32F1A88C1 for <abfab@ietf.org>; Thu, 19 Feb 2015 00:00:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id 1EBE9FDA8 for <abfab@ietf.org>; Thu, 19 Feb 2015 09:00:51 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WiUw1T+XP8hI for <abfab@ietf.org>; Thu, 19 Feb 2015 09:00:51 +0100 (CET)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon24.um.es (Postfix) with ESMTPSA id E6EA5E5C for <abfab@ietf.org>; Thu, 19 Feb 2015 09:00:50 +0100 (CET)
Message-ID: <54E59831.10108@um.es>
Date: Thu, 19 Feb 2015 09:00:49 +0100
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: abfab@ietf.org
References: <tsloaosrw4v.fsf@mit.edu>
In-Reply-To: <tsloaosrw4v.fsf@mit.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/F6vy2ppHnsH5akYdm1ZXo2GOoK0>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 08:00:57 -0000

Hi Sam,

thanks for the review. See my comments below.

El 17/02/15 a las 23:49, Sam Hartman escribió:
>
> Section 4:
>
> I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
> Current text says recommended.

Whereas version -09 stated once (in section 5.2) that the use of TLS was 
REQUIRED, along the rest of text it indicated several times this support 
as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them 
to the prevailing one.

Nevertheless, I think that making TLS a MUST might be limiting. There 
might be some use case scenarios for this profile where using TLS is not 
actually required (e.g. other security mechanisms apply). I would see 
that kind of requirement more for the ABFAB architecture level than for 
this I-D level. Moreover, in the saml-profiles-2.0-os document, the use 
of TLS is indicated as RECOMMENDED.

>
> Section 6.3.3:
>
> I would like to state for the record that I believe interlinking the
> SAML and EAP authentications to permit the SAML request to affect things
> like TLS resumption and  authentication freshness is problematic and
> will lead to implementation failures (or simply be ignored).
>
> I would prefer we not take that approach.  However the sense of the room
> was against me when this was last discussed.
> I do think an explicit consensus call by chairs if we have not already
> made such a call would be valuable.  I expect that it's likely I'm in
> the rough.

I'm ok with such a call, but I'd like to know more about the problems 
you would expect.
As I see it, if the IdP cannot/won't address the constraints called in 
the AuthnRequest message, it MUST (SHOULD perhaps?) generate an 
authentication error.


>
> Section 6.4.3:
>
>     o  Assume that the Client's identifier implied by a SAML <Subject>
>           element, if present, takes precedence over an identifier
>           implied
>                 by the RADIUS User-Name attribute.
>                 
>
> *what*?!  This flies in the face of 4.3.1.

This section is dealing with the Client's identifier (Subject), whereas 
4.3.1 deals with names of the AAA entities (i.e. RP and IdP, related 
with Issuer and Recipient at the SAML level). Hence, I don't think 
section 6.4.3 has a direct impact on what 4.3.1 says.

>
>
> This draft still does not provide a mechanism to meet the conditions
> specified in section 4.3.2.  In particular, we don't describe how to
> embed AAA names in requests, responses or metadata.

You're right. I think we should focus on representing this information 
in the metadata, which is controlled by the recipient, rather than on 
the information on the wire, which might have been forged by the sender.

Regards,
Alejandro

>
> --Sam
>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab

v2.8.7 | Report a Bug | By Email