Re: [abfab] Review of draft-ietf-abfab-aaa-saml-11

Alejandro Pérez Méndez <alex@um.es> Fri, 16 October 2015 14:27 UTC

Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 503F11B2C2F for <abfab@ietfa.amsl.com>; Fri, 16 Oct 2015 07:27:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.911
X-Spam-Level:
X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFMei00r39OT for <abfab@ietfa.amsl.com>; Fri, 16 Oct 2015 07:27:09 -0700 (PDT)
Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id D2CF01B2C2D for <abfab@ietf.org>; Fri, 16 Oct 2015 07:27:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id 69646468; Fri, 16 Oct 2015 16:27:05 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon22.um.es
Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Fe8cdYJd8o2A; Fri, 16 Oct 2015 16:27:05 +0200 (CEST)
Received: from [192.168.1.102] (84.121.15.122.dyn.user.ono.com [84.121.15.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon22.um.es (Postfix) with ESMTPSA id 7753F131; Fri, 16 Oct 2015 16:27:02 +0200 (CEST)
To: Sam Hartman <hartmans@painless-security.com>
References: <9846A6064BD102419D06814DD0D78DE112712074@CIO-TNC-D2MBX02.osuad.osu.edu> <5620C974.30400@um.es> <tslmvvjug51.fsf@mit.edu>
From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= <alex@um.es>
Message-ID: <56210936.4000808@um.es>
Date: Fri, 16 Oct 2015 16:27:02 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <tslmvvjug51.fsf@mit.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/ULsM8CtWNhFBwwgrOHnR92VgRhc>
Cc: abfab@ietf.org
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-11
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 14:27:11 -0000


El 16/10/15 a las 14:55, Sam Hartman escribió:
>>>>>> "Alejandro" == Alejandro Pérez Méndez <alex@um.es> writes:
>      Alejandro> Hi Scott, thanks for this thorough review. See my
>      Alejandro> comments inline.
>
>      >> Sorry this is a little late. I gave it a pretty thorough read.
>      >>
>      >> Substantive:
>      >>
>      >> Is it useful to say something in section 3 along the lines that
>      >> apart from the binding defined in section 4, the spec doesn't
>      >> prescribe any particular pattern/usage/constraint/etc. on the use
>      >> of the two RADIUS attributes it defines? I ask because of the
>      >> statement in section 4 about the two attributes not being used in
>      >> the same RADIUS message, and wondered if that should be stated in
>      >> section 3, but then thought maybe that wasn't something being
>      >> constrained by the spec, but just the binding.
>
>      Alejandro> I think that it would make sense to move the restriction
>      Alejandro> up to section 3, as one can see both attributes as
>      Alejandro> exclusive alternatives to represent SAML information. If
>      Alejandro> the RADIUS server decides to send a SAML Message, why
>      Alejandro> sending a SAML Assertion aside?
>
> Agreed.
>
>      Alejandro> I didn't write that text, so we have to hear the original
>      Alejandro> authors' opinion here. I guess the point was that the
>      Alejandro> SAML error response is optional, and that the RADIUS
>      Alejandro> server, in presence of SAML errors, can just limit to
>      Alejandro> provide a RADIUS-only response.
>
> Yes, that's the intent as I understand it.
>
>      Alejandro> Nevertheless, I think the last two paragraphs of section
>      Alejandro> 4.2 could be reduced to the following text, it the
>      Alejandro> original authors agree:
>
>      Alejandro>    "In the case of a SAML processing error, the RADIUS
>      Alejandro> server MAY include a SAML response message with an
>      Alejandro> appropriate value for the <samlp:Status> element within
>      Alejandro> the Access-Accept or Access-Reject packet to notify this
>      Alejandro> fact to the Client.".
>
> I think the following would be more clear:
>
>      "In the case of a SAML processing error, the RADIUS
>   server MAY include a SAML response message with an
>   appropriate value for the <samlp:Status> element within
>   the Access-Accept or Access-Reject packet to notify the client.
>   Alternatively, the RADIUS server can respond without a SAML-Message attribute.".

That sounds better, yes.

>
> Or did we end up calling it SAML-Protocol?

Oh, right. I'll change that.

Regards,
Alejandro

>
> --Sam