IETF Logo Mail Archive

Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10

Alejandro Perez Mendez <alex@um.es> Thu, 26 February 2015 11:05 UTC

Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF6D1A6FF9 for <abfab@ietfa.amsl.com>; Thu, 26 Feb 2015 03:05:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RW5QQk_yHPC for <abfab@ietfa.amsl.com>; Thu, 26 Feb 2015 03:05:06 -0800 (PST)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id C48411A6F20 for <abfab@ietf.org>; Thu, 26 Feb 2015 03:05:05 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id 09216A79E; Thu, 26 Feb 2015 12:05:04 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bWBDueXwWVRG; Thu, 26 Feb 2015 12:05:03 +0100 (CET)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon24.um.es (Postfix) with ESMTPSA id 514CFA792; Thu, 26 Feb 2015 12:05:02 +0100 (CET)
Message-ID: <54EEFDDE.5050401@um.es>
Date: Thu, 26 Feb 2015 12:05:02 +0100
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>, abfab@ietf.org
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es> <54E5A557.3090603@sunet.se> <B1F69288-3FCF-43F0-A0B9-946F5557875D@cisco.com> <54E5F038.1080800@um.es> <021701d04c78$75eeb8b0$61cc2a10$@augustcellars.com>
In-Reply-To: <021701d04c78$75eeb8b0$61cc2a10$@augustcellars.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/HONYJ6Bh1799GZSgpDJPNLWocSI>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 11:05:08 -0000

El 19/02/15 a las 20:15, Jim Schaad escribió:
>
>> -----Original Message-----
>> From: abfab [mailto:abfab-bounces@ietf.org] On Behalf Of Alejandro Perez
>> Mendez
>> Sent: Thursday, February 19, 2015 6:16 AM
>> To: abfab@ietf.org
>> Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
>>
>>
>> El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió:
>>>> On 19 Feb 2015, at 09:56, Leif Johansson <leifj@sunet.se> wrote:
>>>>
>>>> On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
>>>>> Hi Sam,
>>>>>
>>>>> thanks for the review. See my comments below.
>>>>>
>>>>> El 17/02/15 a las 23:49, Sam Hartman escribió:
>>>>>> Section 4:
>>>>>>
>>>>>> I thought we were going to make RADIUS over TLS a MUST not a
>> SHOULD.
>>>>>> Current text says recommended.
>>>>> Whereas version -09 stated once (in section 5.2) that the use of TLS
>>>>> was REQUIRED, along the rest of text it indicated several times this
>>>>> support as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just
>>>>> homogenized them to the prevailing one.
>>>>>
>>>>> Nevertheless, I think that making TLS a MUST might be limiting.
>>>>> There might be some use case scenarios for this profile where using
>>>>> TLS is not actually required (e.g. other security mechanisms apply).
>>>>> I would see that kind of requirement more for the ABFAB architecture
>>>>> level than for this I-D level. Moreover, in the saml-profiles-2.0-os
>>>>> document, the use of TLS is indicated as RECOMMENDED.
>>>> Speaking as an individual I don't think there are any sane reasons
>>>> not to use TLS if you relax the requirements on credentials
>>>> administration (eg run oportunistic TLS). Having said that I think
>>>> probably RECOMMENDED is strong enough anyway.
>>> speaking as another individual, you could go the route that other drafts
>> have taken and say something like:
>>> TLS is REQUIRED unless alternative methods are used to ensure
>> confidentiality like IPSEC tunnels or a sufficiently secure internal
> network.
>> That text sounds quite reasonable to me. I was also thinking in including
> DTLS
>> as an alternative.
> In my mind DTLS would be acceptable if one says TLS is required.  They are
> the same basic mechanism in my mind.  However the use of DTLS in this
> scenario is going to be somewhat problematic as it would lead to even more
> fragmenting.  The big reason for using TLS/IP rather than DTLS is the
> upcoming support for large packets.
>
> Not clear that the large packet draft is written to allow it to be used in a
> non-TLS situation.  Probably need to verify that it is if we want to include
> things like IPsec as options

We have our fragmentation draft for UDP, so that should not be a problem.

Regards,
Alejandro

>
> Jim
>
>> Regards,
>> Alejandro
>>> Klaas
>>>
>>>
>>> _______________________________________________
>>> abfab mailing list
>>> abfab@ietf.org
>>> https://www.ietf.org/mailman/listinfo/abfab
>> _______________________________________________
>> abfab mailing list
>> abfab@ietf.org
>> https://www.ietf.org/mailman/listinfo/abfab

v2.8.7 | Report a Bug | By Email