Re: [abfab] Direction Forward for aaa-saml

Sam Hartman <hartmans@painless-security.com> Wed, 22 July 2015 14:41 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB8F91A87C2 for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWTAJAMa9NKq for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:41:53 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EB0F1B2E2D for <abfab@ietf.org>; Wed, 22 Jul 2015 07:41:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 925282075C; Wed, 22 Jul 2015 10:41:25 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3M4UlSfUtFdR; Wed, 22 Jul 2015 10:41:24 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 10:41:24 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C051B8867F; Wed, 22 Jul 2015 10:41:46 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: "Cantor\, Scott" <cantor.2@osu.edu>
References: <tslwpxsy0ql.fsf@mit.edu> <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <tsloaj4xzvr.fsf@mit.edu> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <tsl7fpsxrve.fsf@mit.edu> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu>
Date: Wed, 22 Jul 2015 10:41:46 -0400
In-Reply-To: <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> (Scott Cantor's message of "Wed, 22 Jul 2015 14:25:03 +0000")
Message-ID: <tslio9cw8yd.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/K1VVczSLlKRzDwU93rjMgPERU_U>
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Direction Forward for aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 14:41:59 -0000

>>>>> "Cantor," == Cantor, Scott <cantor.2@osu.edu> writes:

    Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman"
    Cantor,> <abfab-bounces@ietf.org on behalf of
    Cantor,> hartmans@painless-security.com>
    Cantor,> wrote:


    >> 
    >> I think you'd need to:
    >> 
    >> 1) Explain how I figure out which entity I'm using for my RADIUS
    >> server

    >> Consider this especially in a case where you're retrieving
    >> metadata dynamically rather than just having all the metadata in
    >> the world.

    Cantor,> That's orthogonal to any use of SAML metadata. How you get
    Cantor,> it (and verify it) is architecturally distinct from what it
    Cantor,> means and how it's used.

Not really.
If I'm starting with  an NAI realm and would like to find the entity
description of an entity that is at that NAI realm, I can only do that
if my metadata access mechanism lets me search by that.

However I do agree that this problem is general to the case where you're
using SAML naming rather than AAA naming, not just to the case where
you're getting protocol endpoints from metadata.