Re: [abfab] Direction Forward for aaa-saml

Sam Hartman <hartmans@painless-security.com> Wed, 22 July 2015 13:08 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4B31B3356 for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 06:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvACnsZCChC0 for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 06:08:10 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FE451A1A82 for <abfab@ietf.org>; Wed, 22 Jul 2015 06:07:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 9B0E02075A; Wed, 22 Jul 2015 09:07:27 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdRUfVX5VDkW; Wed, 22 Jul 2015 09:07:27 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 09:07:26 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 843808867F; Wed, 22 Jul 2015 09:07:49 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Leif Johansson <leifj@mnt.se>
References: <tslwpxsy0ql.fsf@mit.edu> <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <tsloaj4xzvr.fsf@mit.edu> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se>
Date: Wed, 22 Jul 2015 09:07:49 -0400
In-Reply-To: <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> (Leif Johansson's message of "Wed, 22 Jul 2015 14:44:53 +0200")
Message-ID: <tsl7fpsxrve.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/U9MNBHBQopVW-_cm9CVBLlkZXhM>
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Direction Forward for aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 13:08:12 -0000

>>>>> "Leif" == Leif Johansson <leifj@mnt.se> writes:

    Leif> 22 jul 2015 kl. 12:14 skrev Sam Hartman
    Leif> <hartmans@painless-security.com>om>:

    >>>>>>> "Leif" == Leif Johansson <leifj@mnt.se> writes:
    >> 
    >>>> 22 jul 2015 kl. 11:56 skrev Sam Hartman
    >>>> <hartmans@painless-security.com>om>:
    >>>> 
    >>>> In the meeting we discussed that we really aren't specifying an
    >>>> edpoint.  In particular, the location of the service is
    >>>> implicit in this RADIUS binding.  It's possible we might
    >>>> describe something in the future where we included radsec
    >>>> endpoints and keys in metadata, but that's not what we need
    >>>> now.
    >> 
    Leif> agree but it may be cheap/easy to include that upfront
    >> 
    >> Doing the metadata specification would be cheap/easy.  Describing
    >> semantics would I suspect be more difficult.

    Leif> maybe... but lets think about it/try

I'm happy to review suggested text.

I think you'd need to:

1) Explain how I figure out which entity I'm using for my RADIUS server

2) Explain how I validate the RADIUS server I'm talking to

3) Explain how the RADIUS server I'm talking to validates me.

Consider this especially in a case where you're retrieving metadata
dynamically rather than just having all the metadata in the world.

--Sam