[abfab] Review of draft-ietf-abfab-aaa-saml-10
Sam Hartman <hartmans@painless-security.com> Tue, 17 February 2015 22:50 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 9EE4B1A895E
for <abfab@ietfa.amsl.com>; Tue, 17 Feb 2015 14:50:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5
tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qRUllHTU6j7P for <abfab@ietfa.amsl.com>;
Tue, 17 Feb 2015 14:50:26 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com
[23.30.188.241])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id DE1F71A8956
for <abfab@ietf.org>; Tue, 17 Feb 2015 14:50:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by mail.painless-security.com (Postfix) with ESMTP id 9036920610
for <abfab@ietf.org>; Tue, 17 Feb 2015 17:49:38 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1])
by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AeaRejxsS9jZ for <abfab@ietf.org>;
Tue, 17 Feb 2015 17:49:38 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (gain1-180.nortex.net
[63.160.158.180])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "laptop", Issuer "laptop" (not verified))
by mail.painless-security.com (Postfix) with ESMTPS
for <abfab@ietf.org>; Tue, 17 Feb 2015 17:49:37 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042)
id 6A21F8043B; Tue, 17 Feb 2015 17:49:52 -0500 (EST)
From: Sam Hartman <hartmans@painless-security.com>
To: abfab@ietf.org
Date: Tue, 17 Feb 2015 17:49:52 -0500
Message-ID: <tsloaosrw4v.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/XfeCT4hkNgWtHOL9nr6HUZg5Qsk>
Subject: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging,
Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>,
<mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>,
<mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 22:50:27 -0000
Section 4:
I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
Current text says recommended.
Section 6.3.3:
I would like to state for the record that I believe interlinking the
SAML and EAP authentications to permit the SAML request to affect things
like TLS resumption and authentication freshness is problematic and
will lead to implementation failures (or simply be ignored).
I would prefer we not take that approach. However the sense of the room
was against me when this was last discussed.
I do think an explicit consensus call by chairs if we have not already
made such a call would be valuable. I expect that it's likely I'm in
the rough.
Section 6.4.3:
o Assume that the Client's identifier implied by a SAML <Subject>
element, if present, takes precedence over an identifier
implied
by the RADIUS User-Name attribute.
*what*?! This flies in the face of 4.3.1.
This draft still does not provide a mechanism to meet the conditions
specified in section 4.3.2. In particular, we don't describe how to
embed AAA names in requests, responses or metadata.
--Sam
- [abfab] Review of draft-ietf-abfab-aaa-saml-10 Sam Hartman
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Leif Johansson
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Klaas Wierenga (kwiereng)
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez