Re: [abfab] charter take 3
Leif Johansson <leifj@sunet.se> Fri, 13 August 2010 11:29 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: abfab@core3.amsl.com
Delivered-To: abfab@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 276483A6358 for <abfab@core3.amsl.com>; Fri, 13 Aug 2010 04:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avhs9SNQzxHd for <abfab@core3.amsl.com>; Fri, 13 Aug 2010 04:28:58 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id AB0643A6783 for <abfab@ietf.org>; Fri, 13 Aug 2010 04:28:57 -0700 (PDT)
Received: from [192.36.125.216] (dhcp.pilsnet.sunet.se [192.36.125.216]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id o7DBTU77027773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Aug 2010 13:29:32 +0200 (CEST)
Message-ID: <4C652C9A.7080707@sunet.se>
Date: Fri, 13 Aug 2010 13:29:30 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9pre) Gecko/20100217 Lightning/1.0b1 Shredder/3.0.3pre
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <4C64F516.8020801@sunet.se> <3D3C75174CB95F42AD6BCC56E5555B4502E9BEF1@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4502E9BEF1@FIESEXC015.nsn-intra.net>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: abfab@ietf.org
Subject: Re: [abfab] charter take 3
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2010 11:29:00 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2010 01:00 PM, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > Hi Lef, > > Thanks for getting this going. A few minor comments. > > >> Abfab Proposed Charter >> >> Abfab - Application Bridging for Federated Access Beyond web >> >> Federated identity shares user authorization information among >> organizations, without specific registration of the individual user at >> the organization controlling a a remote resource. > > > I am trying to parse this sentence and I does not make sense to me. > > First, I think you are trying to say "Federated Identity Management > Systems share" > (let's assume that such a term exists somewhere) > > Second, "share ... User identity information and related attributes" > > (you see that the terminology document that I distributed recently would > reallly be useful) > > What does it mean to say "without specific registration of the > individual user at >> the organization controlling a a remote resource." Actually it was Daves paragraph but I suggest you comment on the version Josh just suggested for the first paragraph. It might parse more easily. On this note I urge everyone not to bike-shed on an explanation of what constitutes federated identity. We have plenty of time for that _if_ we can get to a point where we can talk about working group documents ;-) > > > A number of such >> mechanisms are in use for the Web. This working group will specify a >> federated identity mechanism for use by other Internet >> services, such as >> IMAP, XMPP, SSH, NFS and other non-IETF protocols, not based on Web >> protocols. > > > Which non-IETF protocols? > I would you would say non-HTTP based protocols. > There are plenty of protocols not done in the IETF but I take your point and will try to polish that up a bit. > > The design will combine existing IETF protocols, >> specifically SAML, EAP (RFC 3748) and AAA (RADIUS, Diameter). > > SAML is not an IETF protocol. > Maybe you want to say god point. > > " > The design will combine existing protocols, namely the Extensible > Authentication Protocol (EAP - RFC 3748), Authentication, Authorization > and Account Protocols (RADIUS - RFC 2865 and Diameter - RFC 3588), and > the Security Assertion Markup Language (SAML). > " yes. > > (I put SAML as the last item because it is the least important one in > the approach discussed on the list. Everything would just work without > using SAML as well.) > That aside think your version reads better. > >> With the >> deployment of the solution, a user from one organization will >> be able to >> access resources at another organization, given only prior agreement >> between the organizations, or prior agreement between each >> organization >> and a trusted intermediary. >> >> While work continues elsewhere on basic mechanisms that rely >> on using an >> HTTP/HTML interface to authenticate and authorize non-web >> applications, > > Authenticate and authorize users for non-HTTP based applications. > >> this working group will look at approaches that do not rely >> on the web, > > > ... On the HTTP-based web. Imho that would be silly. Everyone knows the web runs on HTTP. > >> taking into account user interface concerns and the need to pass >> structured data to an appropriate authentication interface, as well as >> the need to handle large scale discovery. > > What do you mean by passing structured data to an appropriate > authentication interface? Elliot has suggested dropping those paragraphs actually... > > >> >> The working group will develop a solution for federated identity for >> IETF and non-IETF application protocols > > I would prefer to write "for non-HTTP based protocols". > >> by combining SAML, EAP (RFC >> 3748) and AAA (RADIUS, Diameter). > > > Btw, you said that already previously. Maybe you want to merge the text > with the previous paragraph to make it less repetitive. > possibly. > > > Specifically EAP will be used to >> authenticate the subject to a trusted party, AAA (RADIUS and Diameter) >> will be used to authenticate and convey information from that >> party to a >> relying party and SAML is used for authorization and personalization. >> >> The working group may consider other alternative technology for these >> three roles in the architecture but any change in direction in this >> respect requires rechartering of the working group > > ... Other alternative technology for these three communication > relationships. > > >> >> Constraints: >> - ------------ >> >> Initially the working group will focus on using GSS-API (RFC2743) as > > Remove the initially > Why? There has been lots of discussion on the list about the need to allow for future introduction of new application interface technologies but that the WG would start with GSS-API. Initially is meant to convey precisely this and I've not heard any opposition to it so it stays unless I hear lots more support for dropping it. > >> a mechanism for integrating the developed solution for federated >> identity into application protocols but other technologies for >> application interface are in scope of the working group and may be >> adopted as deliverables subject to the normal IETF consensus and >> (re)charter process. >> >> The working group will ensure that any solution developed has built- >> in technical controls for privacy protection. >> >> The working group may not change EAP (beyond the development of EAP >> mechanisms), RADIUS or Diameter without establishing consensus with >> the appropriate community within the IETF. >> >> The working group will use the following documents as a starting >> point for its work: >> >> - - draft-howlett-eap-gss-00, >> - - draft-howlett-radius-saml-attr-00 >> - - draft-hartman-gss-eap-naming-00 >> >> Concerns have been raised that additional work is required in keying >> AAA associations in a federated environment. The working group is >> chartered to explore these concerns and if needed, specify protocols >> that use existing AAA key management mechanisms to address >> these concerns. >> >> In addition, the working group will explore the usability and user >> interface issues associated with federated authentication. The work is >> not chartered to standardize protocols or recommend best current >> practice in the area of usability. The working group should explore >> the area and produce informational documents describing the issues and >> recommending appropriate work for the IETF in this area. > > > Hmmm. I am not happy with this text. Where else would you like to do > such work in the IETF other than in the group where the experts of the > technology are. Why not to work on a document that illustrates the > issues and if there are suggestions to make then just make them. > I presume you are talking about the last paragraph and not all three? In that case Elliot has suggested dropping that text already (he was the originator of the usability concerns). > >> >> As future work in dealing with user interface in this area progresses, >> the architecture of the system may need to expand to include >> additional >> components or make significant changes to adapt to improvements in >> understanding of user interface. In describing architecture work, the >> working group will emphasize this possibility of change. > > This sounds a bit fuzzy. What do you mean by "additional components"? > Are we talking about user interface issues or protocol extensions that > simplify operations and management (i.e. the user in the sense of the > administor of the system). See above wrt Elliots suggestions. > >> >> Coordination with other SDOs >> - ---------------------------- >> >> This work will require close coordination with work going on in the >> OASIS Security Services Technical Committee (SSTC). There should be >> sufficient overlapping participation between the SSTC and this working >> group for informal coordination. The chairs of this working group may >> work with the SSTC chairs and the IAB in case formal coordination is >> required. >> >> In particular coordination is required with respect to the SAML-RADIUS >> binding. > > So, what do you expect OASIS to do in this work? > Review? > Be aware of the IETF group? Does that have to go in the charter? > > Because of the different organizational structure and membership model I > am always concerned when work is spread over different SDOs. I am > chairing the KEYPROV working group and we had some interactions with > OASIS and I am not sure OASIS has been helpful in any way. Why do you > think it is different here? > >> >> Deliverables >> - ------------ >> >> The deliverables of the working group are: >> >> * A document describing applicable use cases. >> >> * An architecture document describing how the components of >> the solution >> fit together to address the use cases and open issues that >> will require >> future changes to the architecture >> >> * A standards-track protocol for carrying SAML messages in RADIUS and >> Diameter >> >> * An update to the EAP applicability statement in RFC 3748 describing >> the applicability of EAP to application authentication and placing >> appropriate requirements on this new EAP use case >> >> * A standards track solution for using EAP methods to provide >> authentication within the application >> >> * An update to the EMSK root key applicability statement in RFC 5295 >> >> * A standards-track description of GSS names and name attributes >> required by the solution >> >> * Informational descriptions of usability and user-interface concerns >> related to this work > > Sounds good to me. Are you going to propose milestones as well? I think we have to before Sean would be happy :-) Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxlLJoACgkQ8Jx8FtbMZndJegCfUjaSrdapHA1NnRq3IAf8ynxF LLsAnjesTRQqTnTsTRMMTt2ekB6b/M7R =h+D3 -----END PGP SIGNATURE-----
- Re: [abfab] charter take 3 Leif Johansson
- [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Eliot Lear
- Re: [abfab] charter take 3 Josh Howlett
- Re: [abfab] charter take 3 Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [abfab] charter take 3 Josh Howlett
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Josh Howlett
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Scott Cantor
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Klaas Wierenga
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Klaas Wierenga
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Yoshihiro Ohba
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Klaas Wierenga
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Eliot Lear
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Yoshihiro Ohba
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Dave CROCKER
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Nicolas Williams
- Re: [abfab] charter take 3 Sam Hartman
- Re: [abfab] charter take 3 Leif Johansson
- Re: [abfab] charter take 3 Nicolas Williams