IETF Logo Mail Archive

Re: [abfab] AD review of draft-ietf-abfab-gss-eap-naming

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 09 September 2012 14:08 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DEBF21F851A for <abfab@ietfa.amsl.com>; Sun, 9 Sep 2012 07:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.475
X-Spam-Level:
X-Spam-Status: No, score=-102.475 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMZMf42zs+TW for <abfab@ietfa.amsl.com>; Sun, 9 Sep 2012 07:08:24 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 17D2921F843A for <abfab@ietf.org>; Sun, 9 Sep 2012 07:08:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id A8658171478; Sun, 9 Sep 2012 15:08:22 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1347199701; bh=k/46UbNpCSgnhk 71daX7iP8xnrJ1nRWFexo5kktfvQQ=; b=nABMYkclU9bWjs4lgOKvEcALBtuna3 go+y18YVKoox3TpgukqEAtH2Xf2X8oM8nmWdlYq4JoEVHjJEMT/ezRNA736Xf5Ha v3wAaKIVxNPUpy+T7JwAvn/cjsZMhDWIM9Doib9CqTAxdqtIOAQRBKuVQP60jjfn bThAZs3Srs0g/AAy40RsvgEjbGlZZ7LXilbP1KrhVygJo7puiN9DHRwGdoVvWHxS NzvIUav1tLr9OW8BiwvjI/sujiEvQeY1eo+pQjC3PVVZNpqzLLK7RTz1ZKf8VmDH dQer2CUoH/dEpwhhv0G5Mi78hDqPMJCzj71srhQQg2PR8G+MYoNRVNNg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id nvMNjamSnf-q; Sun, 9 Sep 2012 15:08:21 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.44.74.43]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 0D11F171471; Sun, 9 Sep 2012 15:08:19 +0100 (IST)
Message-ID: <504CA2D3.7000601@cs.tcd.ie>
Date: Sun, 09 Sep 2012 15:08:19 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>
References: <50486382.3050203@cs.tcd.ie> <039201cd8d52$209e1c80$61da5580$@augustcellars.com>
In-Reply-To: <039201cd8d52$209e1c80$61da5580$@augustcellars.com>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: abfab@ietf.org
Subject: Re: [abfab] AD review of draft-ietf-abfab-gss-eap-naming
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Sep 2012 14:08:25 -0000

Hi Jim,

On 09/08/2012 12:40 AM, Jim Schaad wrote:
> Some comments inline
> 
>> -----Original Message-----
>> From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf
>> Of Stephen Farrell
>> Sent: Thursday, September 06, 2012 1:49 AM
>> To: <abfab@ietf.org>
>> Subject: [abfab] AD review of draft-ietf-abfab-gss-eap-naming
>>
>>
>> Hi all,
>>
>> My review of this is below. I do think a couple of things at least(1st
> two) need
>> fixing before IETF LC, so I'll mark this as revised ID needed unless you
> want to
>> argue with me about that.
>>
>> Note that I sent an early version of this to the authors and chairs, and
> have
>> incorporated some feedback I got from Sam below.
>>
>> Cheers,
>> S.
>>
>>
>> AD review of draft-ietf-abfab-gss-eap-naming-04
>> 2012-09-06
>>
>> General, but I think need fixing before IETF LC:
>>
>> - Examples are very very badly needed. Maybe some GSS calls and showing
>> the values that'll be produced.
>>
>> - 6.2, can't there be more spaces after the first two in this case?
> Calling that
>> out would seem better.
> 
> I am not sure what you mean here.   It seems to me that we have 
> <string> <space> <string> <space> <string>

The last string can have a space embedded in some cases I think.
It says: "The final part is the <saml:Attribute> element's Name
XML attribute" which as I read it says this 3rd part is an
XML attribute value, which can have spaces. If that's right then
I think we need to tell coders about it.

> 
> Where are you planning to put the additional spaces?  After the last string?
> It might be interesting to say if you could put multiple space characters in
> the location where the <space> is, but that is not something that I would
> necessarily expect.  
> 
> Yes I think it would be reasonable to state that spaces in URIs must be
> encoded as %20, but I thought that was obvious, although it might be an
> error that I made at some point in the future if I just did a copy of the
> string from the XML to here without checking for embedded whitespace.
> 
>>
>> General, comment-like:
>>
>> - As presented, this looks very complex. I think the presentation could do
>> with work to make this an easier read.
> 
> In order to access this, I would need to know where you felt it was complex.
> At this point it is, for better or worse, rather easy to read.

Our reading experiences differ then. If its just me then that's
fine but I think (as I say below) that the attempt to be generic
here causes fairly tortured language to be needed.

I'll leave the rest of the comments for the list, since they're
just comments and I'm not sure Jim is really talking to me so
much as the list for some of 'em:-)

Cheers,
S.

>> - Ought this be made specific to the currently known GSS mechtypes that
> use
>> RADIUS or SAML? I mean for example a statment like "This specification
> only
>> applies for GSS-EAP or SAML-EC." That might well simplify a lot of things
> since
>> I reckon some of the complexity mentioned above comes from what might
>> be premature generalisation.
>>
>> questions:
>>
>> - 2nd para of section 4: what does "MUST make a policy decision" mean?
>> Maybe you mean that a service MUST have a way to decide which IdPs are
>> trusted for which "asserted values"? (And what exactly are "asserted
>> values"?)
> 
> Thus, a service MUST make a policy based decision:  Is this IdP permitted to
> assert this attribute and is the value permitted.
> 
>>
>> - How do I implement the "MUST NOT" in the last para of section 4? I'm
> told
>> that's meant for mechanism spec.  writers so making that clear would be
>> good. "Closely associated"
>> seems too vague. "Can assume" in the example also seems pretty vague.
> 
> 
> I don't have good text here at this point.
> 
>>
>> - Section 5, 1st para: what does "undefined" mean? If I call the relevant
> GSS
>> function too early (before access-accept) what do I get? Maybe say here
>> which GSS calls are meant?
> 
> If you make the call too early, you might get an answer that would change
> after the access-accept message.  You might get an error.  We are not saying
> what the correct behavior is.  While the current deployments are setup to
> just get information back, for Plasma we are looking at situations where we
> are going to want to ask more questions and the way to do this is not
> currently defined.
> 
>>
>> - 6.1, How can a GSS API extension spec assert that authentication only
>> succeeds if the SAML or AAA exchange is successfully authenticated?  Sam
>> suggested: "This attribute MUST always be authenticated when present in
>> mechanism names complying with this specification." which I think would be
>> better.
>>
> 
> I had asked a similar question in the past, and I think that Sam's response
> is incorrect in that it does not match with what he told me in the past.
> There is a possibility that some mechanism will have a SAML statement it
> receives that it cannot authenticate either via the AAA exchange or by
> validating the signature on the SAML statement.  In this case the attribute
> would not be returned as authenticated.  However I would be willing for this
> behavior to be dropped.  But given that we are talking about how to query
> for the attribute, I don't think that the suggested sentence from Sam would
> be correct.
> 
> Perhaps
> 1.  Make this a new paragraph
> 2.  Updated text
> 
> This attribute is authenticated only when the mechanism can successfully
> authenticated the SAML statement.  For the GSS-EAP mechanism this is true if
> the AAA exchange has successfully authenticated.  However, uses of the
> GSS-API MUST confirm that the attribute is marked authenticated as other
> mechanisms MAY permit an initiator to provide an unauthenticated SAML
> statement.
> 
>> - 6.2: Maybe I need to check SAML again, but the "<saml:Attribute>
>> element's Name XML attribute" is used at the end of para 1, but later
> paras
>> talks about the <saml:AttributeValue> - are they the same or not?
> 
> They are not the same.
> 
>>
>> - 6.2: What does "sufficiently validated" mean? Adding more clarity here
>> would be good. Sam suggested: "what we're saying or trying to say here is
>> that a mechanism of GSS-EAP should mark attributes carried according to
>> draft-ietf-abfab-aaa-saml as authenticated in the return from
>> GSS_Get_Name_attribute without needing to do normal SAML validation."
>>
> 
> That probably is what Sam said, not what he suggested as text.
> 
> Text: In the GSS-EAP mechanism, a SAML assert carried in an
> integrity-protected and authenticated AAA protocol SHALL be considered
> successfully validated.
> 
>> - 6.2: last sentence talks about "this assertion" buts its not clear to me
> if you
>> mean the entire assertion or just the attribute?
> 
> I think that when Sam wrote the text he was thinking of the SAML assertion.
> I think however it would be more correct in the current content to
> substitute attribute for assertion as it needs to be clear than local policy
> may kill an attribute.  I would suggest the following changes:
> 
> 1.  Add the following to the end of section 6.1
>    "An implementation MAY apply local policy checks to a SAML assertion and
> discard it if it fails the local policy checks."
> 2.  Change the text at the end of section 6.2 to
>   "An implementation MAY apply local policy checks to each attribute
> contained in a SAML assertion and discard the attribute if it fails the
> local policy checks.
> 
>>
>> - 6.3: Why the SHOULD in the first para?
> 
> A mechanism can choose not to expose some name forms to the acceptor.  In
> this case the GSS name attribute would not be present.
> 
>>
>> - section 8, what is "paramname"?
> 
> If a parameter "paramname" is registered in this registry then its URN will
> be "urn:ietf:gss:paramname".
> 
> 
>>
>> nits and whinges:
>>
>> - ID-nits complains about a few things. No show stoppers at this point but
>> please fix after IETF LC.
>>
>> - worth calling out that %20 is not a separator in 2nd para of section 3?
>>
>> - Section 4, 2nd last para: whenever academics (like me:-) throw in
> "context"
>> or "policy" alarm bells ought go off. Here you're saying a trust-context
> is a
>> type of context and context is a property of an attribute.  Don't you find
> that
>> all a bit overly-generic? Then you say attributes with different contexts
> need
>> different names. Does that mean that the name is also a property of the
>> attribute? Is there no way to get rid of some of that veribage and reduce
> this
>> to what a programmer needs to know? (Ok, you can feel free to ignore this,
>> its just a whinge and I'm sorry;-)
>>
>> - section 8, all but 1st sentence of 1st para should go
>>
>>
>> _______________________________________________
>> abfab mailing list
>> abfab@ietf.org
>> https://www.ietf.org/mailman/listinfo/abfab
> 
> 
>

v2.23.0 | Report a Bug | By Email