Re: [abfab] Fwd: New Version Notification for draft-perez-abfab-wg-arch-erp-00.txt
Alejandro Perez Mendez <alex@um.es> Mon, 27 October 2014 23:38 UTC
Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E751A875E for <abfab@ietfa.amsl.com>; Mon, 27 Oct 2014 16:38:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cWwWdcci2R8 for <abfab@ietfa.amsl.com>; Mon, 27 Oct 2014 16:37:53 -0700 (PDT)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF561A86E7 for <abfab@ietf.org>; Mon, 27 Oct 2014 16:37:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 5328AD832; Tue, 28 Oct 2014 00:36:59 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vxpp1YKyphSI; Tue, 28 Oct 2014 00:36:59 +0100 (CET)
Received: from [10.42.0.18] (84.124.144.62.dyn.user.ono.com [84.124.144.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 32EEDCAA1; Tue, 28 Oct 2014 00:36:57 +0100 (CET)
Message-ID: <544ED717.5010908@um.es>
Date: Tue, 28 Oct 2014 00:36:55 +0100
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Sam Hartman <hartmans@painless-security.com>
References: <20141027173338.20163.8329.idtracker@ietfa.amsl.com> <544E8501.4060806@um.es> <tsl8uk1ic9v.fsf@mit.edu>
In-Reply-To: <tsl8uk1ic9v.fsf@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/abfab/FNpW0CtfwaKD4dUSDvzdxpNDXCA
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Fwd: New Version Notification for draft-perez-abfab-wg-arch-erp-00.txt
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 23:38:02 -0000
Hi Sam, > Hi. > > When I first heard about this idea I mentioned that we had been working > with the idea of using Kerberos to handle rapid re-authentication. The > idea is that an acceptor can provide a Kerberos ticket to a RFC 7055 > implementation that can be returned for fast re-authentication. > > My feeling at the time is that is a better approach than ERP for ABFAB. as you know, we do like Kerberos-based proposals. Indeed, my own PhD thesis is focused on the use of Kerberos for providing generic application federation support, and we have made some submissions to the ABFAB and Kerberos WG around this topic in the past. Hence, we have nothing against the use of Kerberos. In my opinion, the idea of making the acceptor generate a Kerberos ticket is ok if what you want is to provide fast re-authentication for future accesses to that particular acceptor. However, if you want to access to another acceptor within the federation, fast re-authentication will not work, as all of the acceptors would need to share the same Kerberos key. Having this sort of RP-to-RP fast re-authentication support is one of the major goals we have in the CLASSe project. In particular, we pursue providing SSO and fast re-authentication in RP-to-RP and network-to-RP scenarios. In addition to ERP, we have explored some Kerberos-based strategies, but we concluded that the most natural and standard way to provide this kind of fast re-authentication in ABFAB was using ERP. > > I never really saw a response to that comment. I recall having a discussion about this topic some time ago, but we didn't went into the details of the ERP-based solution until now, when we've been involved in the CLASSe project. As you've said, we knew about the Kerberos based approach you've mentioned. Moreover, I think you also mentioned it was at some extent implemented in Moonshot. However, as it does not cover the RP-to-RP scenario, it did not satisfy our requirements for the CLASSe project. Of course, it does not mean we are against the Kerberos-based proposal for the scenarios where that kind of fast re-authentication is enough. Indeed, that would be the most reasonable way to proceed in those scenarios, in order to avoid modifying the AAA infrastructure in order to support ERP. However, in our opinion, ERP is the way to proceed if you need RP-to-RP fast re-authentication. > As an experiment, it's > fine to go off and explore whatever approach you like. > However, at the point when you start proposing this work in the IETF, I > think we should explore other plausible alternatives. As such I think > we should have a discussion of ERP vs RFC 4121. Indeed, that's the main purpose of submitting this draft: propose a plausible alternative for this "problem" we had in CLASSe. We do not want to impose our view, just let the WG know about this proposal we designed. It is easier to discuss when you have a somehow detailed description written in a document. Others can have a better understanding of what you want to achieve, and how. I'll be in Honolulu, so if you are planning to attend, I'm looking forward to discuss this and any other topics of interest with you there. Regards, Alejandro > > --Sam
- [abfab] Fwd: New Version Notification for draft-p… Alejandro Perez Mendez
- Re: [abfab] Fwd: New Version Notification for dra… Sam Hartman
- Re: [abfab] Fwd: New Version Notification for dra… Alejandro Perez Mendez
- Re: [abfab] Fwd: New Version Notification for dra… Alejandro Perez Mendez