Re: [abfab] Fwd: New Version Notification for draft-perez-abfab-gss-remote-attr-00.txt

Alex Stuart <alex.stuart@ed.ac.uk> Mon, 05 October 2015 09:11 UTC

Return-Path: <alex.stuart@ed.ac.uk>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87BB81B4E9C for <abfab@ietfa.amsl.com>; Mon, 5 Oct 2015 02:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOeIJqfrNpB1 for <abfab@ietfa.amsl.com>; Mon, 5 Oct 2015 02:11:21 -0700 (PDT)
Received: from treacle.ucs.ed.ac.uk (treacle.ucs.ed.ac.uk [129.215.16.102]) by ietfa.amsl.com (Postfix) with ESMTP id CB7151B4E92 for <abfab@ietf.org>; Mon, 5 Oct 2015 02:11:20 -0700 (PDT)
Received: from hbdkb2.is.ed.ac.uk (hbdkb2.is.ed.ac.uk [129.215.234.33]) by treacle.ucs.ed.ac.uk (8.13.8/8.13.4) with ESMTP id t959BKwa017315 for <abfab@ietf.org>; Mon, 5 Oct 2015 10:11:20 +0100 (BST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (213.199.154.11) by exseed.ed.ac.uk (129.215.234.33) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 5 Oct 2015 10:11:00 +0100
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=alex.stuart@ed.ac.uk;
Received: from dlib-glasgow.ucs.ed.ac.uk (129.215.169.215) by AM3PR05MB1348.eurprd05.prod.outlook.com (10.163.7.22) with Microsoft SMTP Server (TLS) id 15.1.286.20; Mon, 5 Oct 2015 09:10:48 +0000
To: <abfab@ietf.org>
References: <20151005072718.21102.94680.idtracker@ietfa.amsl.com> <561227AA.8090602@um.es>
From: Alex Stuart <alex.stuart@ed.ac.uk>
X-Enigmail-Draft-Status: N1110
Message-ID: <56123E92.5020208@ed.ac.uk>
Date: Mon, 5 Oct 2015 10:10:42 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <561227AA.8090602@um.es>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.215.169.215]
X-ClientProxiedBy: AM3PR02CA0021.eurprd02.prod.outlook.com (10.242.240.21) To AM3PR05MB1348.eurprd05.prod.outlook.com (25.163.7.22)
X-Microsoft-Exchange-Diagnostics: 1; AM3PR05MB1348; 2:jP5uPeWknYIt7k7fe4riMwr4QPg/gYV9VIqhc2FnU24SDU4fs9Gtr0ZvPXjhTPQ2/E5nAzEnMqEvHDh3vRz7vV7r+edmLW3b5QL9SprTDeGVHBrxH53/A54QmU5JpP5O+0BDGGc6eWBvoQ6ACTT/nwC8xBfxmXWI0bV6oZvv+wQ=; 3:HH3Dm6MbwvP80xjR5wBJMFf1adSX03Iw5icAzeyOiLks1bY6nhlhjCP/5YZBAxtTe0UNMiWrWROYNm8NVe15h+4uJbhhr3R48BZFSaEflCQkoWqsgOVhYo5BlBk/UlvDiMSxsEjgS+N2JoluSxISrg==; 25:3bcTq4Iit9C4l/JWJswWgS42Z9w4SWOBcvPbyaL/H2BVViJ+i/NyVMYar+q61AhjEp8pGXCJD4QkYW7PzjlaWMGFL7pb8xB7PAdXGQGbCQJHIBrDVld1S/HOsG29uCiWJC8SOngEs161V3dpD+fidFSM504n0aBZtRVHC5RwjDyIWpwq3whih0KRwOvNjm0q6V0lQxQ9DzpD6BXFBadOF9sAOyegNKbT/8/iproVeWNAV7QpFzAVeRfAnzzsKocG6hTuvY85ngDE53isBkjAAw==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM3PR05MB1348;
X-Microsoft-Exchange-Diagnostics: 1; AM3PR05MB1348; 20:TcqbuCZ5jE9dJzremD4OaReFdfdxLgJznFKWGs5w7+OzzbciK1tDJ8TMtjy2x/vePZ31sSyBsYpZL7KD7/def5yx/AkE4tgHV3aYBWSXZphiQ1JvMxTfMQ4+qoQpCHjIs/QBPdNTrZe7+uOCYcDgQXGL+dcHCxJLDU4v1ZIPMAxrNN3EixRCDjs7GI8YmcejclpDCJKsBx4gH9cbVZ2M4vJi0T82jANO4myOCm5Ow4IgoCW4T8HIPSG2T3YguHVC68kZ8wk91GzDbx63N3C014fnZ8tO61xc0LOodsvnxO+9PYg/uvvW5IeD+Yc4Cgk8zzm1ZFn0D2VixlrfEi4OdgfwkjWy6nwXsfoYqn7ea8g=; 4:YF5W/f1N/XJxV242Nis1KqlkU+d6RSumX4ahHfiGDiLcQ9T9lH463zjvIyq7o9fcQCrG93TKOyc6c7t7Otohcirn2Sw2vxxJR6tIc8VjGIMcHZUnziaVW84atJM8TzYVNLfpT2GqxLZcehSsb+hYeCKmMg/FScjCs9wYfDq7opYqB9Y4MEv5RMsJBRp3sc9Z2YkmhGHv/mLgTQBJkgRZwCW03B7RmkquqecybaF3A5ydVUPYw0CQ3lhaaq+SkEBr/D/8BAPuNJznx1KWAEN913PKou4A/cQHQLo/ioOvwxm2KPqNJtBL2AyBmgvjfJ8Pt5QkMAIlABLOo/aTU0i6JxQhUDwF3hPUh1qm33G5/1E=
X-Microsoft-Antispam-PRVS: <AM3PR05MB13484280D3D261F885BC8A6ACC480@AM3PR05MB1348.eurprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001); SRVR:AM3PR05MB1348; BCL:0; PCL:0; RULEID:; SRVR:AM3PR05MB1348;
X-Forefront-PRVS: 07200C0526
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(479174004)(24454002)(2473001)(377424004)(199003)(101416001)(77156002)(5008740100001)(62966003)(5001860100001)(5001830100001)(92566002)(4001350100001)(97736004)(2950100001)(64126003)(36756003)(4001540100001)(5004730100002)(5007970100001)(50466002)(450100001)(74482002)(122386002)(54356999)(87266999)(230783001)(2351001)(59896002)(40100003)(19580405001)(23746002)(19580395003)(80316001)(106356001)(15975445007)(105586002)(68736005)(77096005)(46102003)(65816999)(33656002)(110136002)(107886002)(47776003)(189998001)(83506001)(99136001)(65956001)(64706001)(66066001)(65806001)(86362001)(76176999)(50986999)(42186005)(87976001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM3PR05MB1348; H:dlib-glasgow.ucs.ed.ac.uk; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (protection.outlook.com: ed.ac.uk does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1; AM3PR05MB1348; 23:auAymb1oGd9im6EquaBIQSrMQChMPgDENAWkc?= =?Windows-1252?Q?dGNlJDQtLSJstfhvjV5W9dHhPa4UG8n/2GUqNaYvyhaOiO/jlQ0+sVNo?= =?Windows-1252?Q?ekyi14yfcl+CSaWrhUobJN4IKcYaP5dCX8WtSYkaiAEfTmq38+r16HSn?= =?Windows-1252?Q?qVgyLHr84c5AGKdpxocBMUPK6iJQs5vixvX44y+6tla9H8KIIQAUTjnm?= =?Windows-1252?Q?uIPzRg1zhB1VzZKM+JckcAQL692q8fTWiFiryUA3dXkNoI+9yQhqVPg9?= =?Windows-1252?Q?oDhIeiXRcXj1qyqHX1s/A//q1olO26TPK10rPU0LxgwS27pmuQB6gXgc?= =?Windows-1252?Q?IJSzcI3aX4oP7tP/yG4m8DmgD8obhkmK6w1zY5SFGZBJfam7X8gc0qV5?= =?Windows-1252?Q?VftKB2m0ubhLb63TwaZReyDqfIBgEfIZI0jZY7ty+DmZXjcmc8mY1cVv?= =?Windows-1252?Q?ma9nK+Sk12CbjeT1NtU7Mw4YbV/kc0Obf32sywSqJ1pm0A3PdF8L068d?= =?Windows-1252?Q?GNFpJXpo7T1k7LOxgmiJemmhSdJqK8s4XvS9m2YwKzdOm6uX6napzmBA?= =?Windows-1252?Q?rc0V9owJz/tSY0nhtzfY5MW6OPczhtPQx2RS4VpQxHjbv/IvOqcprQZy?= =?Windows-1252?Q?OI1nMuQmiJYxMXXNKtXHlGs/MDrvbhHNhNMMWu593ii2H+QSInibGpc1?= =?Windows-1252?Q?urTn02dIsfZm0fjESHemCnqv8aMLbporVdSPc7HIWNRmZYLHL6vqXmJ/?= =?Windows-1252?Q?wUb09kr+dQnIs6E280HCMt/di/kOBW4iekm16agoyrqZ5EitOXS8MUbO?= =?Windows-1252?Q?dPybkElP8Il5bU/otf84QRno6Wivt7vWkBICE0M19ZNx33hUbhui4cle?= =?Windows-1252?Q?XZvJgyg9BuChLatDdJDEH86XzGfKCb+w2sllWZVwi7+PLqcJG1tdBHZx?= =?Windows-1252?Q?w70bPhRUEHv8N3kjQHifAA4S4Xs2LPgGie0ck/hBL+Rt2L1WzdpAQxgl?= =?Windows-1252?Q?o1GjM5avQhQRTVSbzuPnbK+GZDoirIIrL4DrBdRQg3D9XaIpN+rtEqCJ?= =?Windows-1252?Q?odTCRZ7JKEkJQqZ6tGWEqgrZ6w2B0MrsIIt/A8H8YrnOQ64g0mvVYJLV?= =?Windows-1252?Q?35g1oYCbb8MQ0d1rm1YU34EIG/oqASE4eUot3xZ+bcYtjpKEvD49SGN7?= =?Windows-1252?Q?T7/QJF7/COfmYweOp4A7SClrGzAfXQ1/BiLa7goUGn0VIu4hjDWMtXU0?= =?Windows-1252?Q?hePzjc3NN5tu0xmlxJdlKKxzO1OVZhq0aEVhC3EaTH9cNXYAjk+rZ+rM?= =?Windows-1252?Q?ExjfnmLcLI+XceInTuHOTaqjK86E2x/ywADpdLlc8XXm/wKK5BU0ZZp4?= =?Windows-1252?Q?OYigFSHyb/TqZGo9QsocNwIwadf+jJNDhxLHQQLufnXPLPGXZP/UxHEA?= =?Windows-1252?Q?K4cRZ9ud3qn/jVrVXNrOH4CCIr3UG12T2IbtSvq1yLEftO4vGsCeYnei?= =?Windows-1252?Q?zVif6rh9Hz2M8lBOvtTtjlyqjVqwQr+iWD4amijOW88fHCEMH+cUbJki?= =?Windows-1252?Q?bxQxOw/Knx5eOnRm/sWMyqIsaKzxWZXxTWdJQ3lxjsx+j/NeCh1H9XVP?= =?Windows-1252?Q?A/fxt5eeuQyk4V+PiInrxfWRJRk3k2j9fMoqaj7Juzy?=
X-Microsoft-Exchange-Diagnostics: 1; AM3PR05MB1348; 5:p6bKOwCvQXm6kDBA/kM8haURBG/wsW5rSRYSKE52Kl39kBmDz0qoltyfIKbNXwcuLuX2BbIhbDxhBbj1NUtI8YV+RjteFVrVfbVnGonIKLUsBRXczU969MKUvF+vWTpI+DYdKzOABRQUpAMC0nsTSg==; 24:F+ZNGC2WYXq+PwMHyT9gwPha6GWiTaX2en9FPgmjRcQbYACDg9B5/3uNezRHg57GP/cJjDBnADSXvRcJ9KH6knYwIshrkt2hllekOMsCPMc=; 20:7r4NdHTaXV9jEUGsykcaCUg3GQF1acuTc9nBeT8q2Gr5uBJ9KYYCSkS3N6rpaKKjR/JmeKzF4bqZO9WwqGXnGw==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2015 09:10:48.5186 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR05MB1348
X-OriginatorOrg: ed.ac.uk
X-Edinburgh-Scanned: at treacle.ucs.ed.ac.uk with MIMEDefang 2.60, Sophie, Sophos Anti-Virus, Clam AntiVirus
Content-Disposition: inline
X-Scanned-By: MIMEDefang 2.60 on 129.215.16.102
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/PNM5uRBbyFjkIJ83vMWMOCa0vag>
Subject: Re: [abfab] Fwd: New Version Notification for draft-perez-abfab-gss-remote-attr-00.txt
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 09:11:23 -0000

Hi Alejandro

I think some names of the SAML attributes have got swapped. In section
5.1, the last bullet point should be:

* urn:ietf:params:gss:federated-saml-attribute
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (SAML eduPersonEntitlement attribute)

And in 5.6, the parenthetical SAML eduPersonAffiliation and SAML
eduPersonEntitlement should be swapped.


However, I'm not sure that an application would first receive an
entitlement, then ask for an affiliation. Because affiliation has a
small controlled vocabulary and entitlement can be as fine-grained as
you like, I think the logic would be reversed. I can envisage that an
application receives affiliation, which it finds too coarse to allow
authorization, and then looks for entitlement to make the decision.

Regards,
Alex

On 05/10/2015 08:32, Alejandro Pérez Méndez wrote:
> Dear all,
> 
> we have submitted a new draft called " Retrieving remote attributes
> using GSS-API naming extensions" that aims to describe how current
> GSS-API extensions can be used to allow mechanisms to retrieve remote
> attributes without requiring of any change neither on the existing calls
> nor on the way applications use the API.
> 
> Any comment or feedback is welcome.
> 
> Regards,
> Alejandro
> 
> 
> -------- Mensaje reenviado --------
> Asunto: 	New Version Notification for
> draft-perez-abfab-gss-remote-attr-00.txt
> Fecha: 	Mon, 05 Oct 2015 00:27:18 -0700
> De: 	internet-drafts@ietf.org
> Para: 	Alejandro Perez-Mendez <alex@um.es>es>, Alejandro Perez-Mendez
> <alex@um.es>es>, Rafa Marin-Lopez <rafa@um.es>es>, Rafael Lopez <rafa@um.es>es>,
> Gabriel Lopez-Millan <gabilm@um.es>es>, Gabriel Lopez-Millan <gabilm@um.es>
> 
> 
> 
> A new version of I-D, draft-perez-abfab-gss-remote-attr-00.txt
> has been successfully submitted by Alejandro Perez-Mendez and posted to the
> IETF repository.
> 
> Name:		draft-perez-abfab-gss-remote-attr
> Revision:	00
> Title:		Retrieving remote attributes using GSS-API naming extensions
> Document date:	2015-10-05
> Group:		Individual Submission
> Pages:		9
> URL:            https://www.ietf.org/internet-drafts/draft-perez-abfab-gss-remote-attr-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-perez-abfab-gss-remote-attr/
> Htmlized:       https://tools.ietf.org/html/draft-perez-abfab-gss-remote-attr-00
> 
> 
> Abstract:
>    The GSS-API Naming Extensions define new APIs that extend the GSS-API
>    naming model to support name attribute transfer between GSS-API
>    peers.  Historically, this set of functions has been used to obtain
>    the authorization information contained in some sort of authorization
>    token provided to the GSS acceptor during the context establishment
>    process, such as a Kerberos ticket, a SAML assertion, or an X.509
>    attribute certificate.  However, some scenarios require to allow the
>    GSS acceptor to request additional attributes after context
>    establishment.  If these attributes are not locally stored by the GSS
>    mechanism they have to be retrieved from an external source (e.g.
>    SQL database, LDAP directory, external IdP, etc.).  This document
>    describes how current GSS-API extensions are able to encompass such
>    functionality without requiring of any change, neither on the
>    existing calls nor on the way applications use the API.
> 
>                                                                                   
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> 
> 
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab
> 

-- 
Alex Stuart
Team Leader - Federated Access Management
EDINA, University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.