Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
Alejandro Perez Mendez <alex@um.es> Thu, 26 February 2015 11:03 UTC
Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id BDF221A6F38
for <abfab@ietfa.amsl.com>; Thu, 26 Feb 2015 03:03:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id zWlXuxu7jDWq for <abfab@ietfa.amsl.com>;
Thu, 26 Feb 2015 03:03:54 -0800 (PST)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163])
by ietfa.amsl.com (Postfix) with ESMTP id B34611A6F20
for <abfab@ietf.org>; Thu, 26 Feb 2015 03:03:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by xenon23.um.es (Postfix) with ESMTP id 8F0706B;
Thu, 26 Feb 2015 12:03:52 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1])
by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id dL9YEyUfI2pt; Thu, 26 Feb 2015 12:03:52 +0100 (CET)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested) (Authenticated sender: alex)
by xenon23.um.es (Postfix) with ESMTPSA id D2A7BB9F8;
Thu, 26 Feb 2015 12:03:50 +0100 (CET)
Message-ID: <54EEFD96.3030500@um.es>
Date: Thu, 26 Feb 2015 12:03:50 +0100
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>, abfab@ietf.org
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es>
<021601d04c78$0e91b140$2bb513c0$@augustcellars.com>
In-Reply-To: <021601d04c78$0e91b140$2bb513c0$@augustcellars.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/T4R6JFdhtnAm3-2INt-_PHK8NwY>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging,
Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>,
<mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>,
<mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 11:03:55 -0000
El 19/02/15 a las 20:12, Jim Schaad escribió: > >> -----Original Message----- >> From: abfab [mailto:abfab-bounces@ietf.org] On Behalf Of Alejandro Perez >> Mendez >> Sent: Thursday, February 19, 2015 12:01 AM >> To: abfab@ietf.org >> Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 >> >> Hi Sam, >> >> thanks for the review. See my comments below. >> >> El 17/02/15 a las 23:49, Sam Hartman escribió: >>> Section 4: >>> >>> I thought we were going to make RADIUS over TLS a MUST not a SHOULD. >>> Current text says recommended. >> Whereas version -09 stated once (in section 5.2) that the use of TLS was >> REQUIRED, along the rest of text it indicated several times this support > as >> RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them to >> the prevailing one. >> >> Nevertheless, I think that making TLS a MUST might be limiting. There > might >> be some use case scenarios for this profile where using TLS is not > actually >> required (e.g. other security mechanisms apply). I would see that kind of >> requirement more for the ABFAB architecture level than for this I-D level. >> Moreover, in the saml-profiles-2.0-os document, the use of TLS is > indicated >> as RECOMMENDED. >> >>> Section 6.3.3: >>> >>> I would like to state for the record that I believe interlinking the >>> SAML and EAP authentications to permit the SAML request to affect >>> things like TLS resumption and authentication freshness is >>> problematic and will lead to implementation failures (or simply be > ignored). >>> I would prefer we not take that approach. However the sense of the >>> room was against me when this was last discussed. >>> I do think an explicit consensus call by chairs if we have not already >>> made such a call would be valuable. I expect that it's likely I'm in >>> the rough. >> I'm ok with such a call, but I'd like to know more about the problems you >> would expect. >> As I see it, if the IdP cannot/won't address the constraints called in the >> AuthnRequest message, it MUST (SHOULD perhaps?) generate an >> authentication error. > If we don't make TLS a MUST, then we probably need to strengthen the privacy > considerations to talk about the fact that eavesdroppers on the wire will be > able to get to the contents of the SAML statements being made. It is not > just an issue of RADIUS Proxies. In any event I don't know how this can be > enforced for anything but the first and last steps in a multi-proxy world. > This probably also needs to be stressed. Right. I will add that to the considerations. Regards, Alejandro > >> >>> Section 6.4.3: >>> >>> o Assume that the Client's identifier implied by a SAML <Subject> >>> element, if present, takes precedence over an identifier >>> implied >>> by the RADIUS User-Name attribute. >>> >>> >>> *what*?! This flies in the face of 4.3.1. >> This section is dealing with the Client's identifier (Subject), whereas >> 4.3.1 deals with names of the AAA entities (i.e. RP and IdP, related with >> Issuer and Recipient at the SAML level). Hence, I don't think section > 6.4.3 has >> a direct impact on what 4.3.1 says. >> >>> >>> This draft still does not provide a mechanism to meet the conditions >>> specified in section 4.3.2. In particular, we don't describe how to >>> embed AAA names in requests, responses or metadata. >> You're right. I think we should focus on representing this information in > the >> metadata, which is controlled by the recipient, rather than on the >> information on the wire, which might have been forged by the sender. > Why do you not think that the NAI name form is sufficient for this purpose? > >> Regards, >> Alejandro >> >>> --Sam >>> >>> _______________________________________________ >>> abfab mailing list >>> abfab@ietf.org >>> https://www.ietf.org/mailman/listinfo/abfab >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab
- [abfab] Review of draft-ietf-abfab-aaa-saml-10 Sam Hartman
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Leif Johansson
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Klaas Wierenga (kwiereng)
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez