[abfab] Direction Forward for aaa-saml

Sam Hartman <hartmans@painless-security.com> Wed, 22 July 2015 09:56 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5FCB51AC43B for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 02:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NbAADTV8i0sn for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 02:56:22 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0B31AC43A for <abfab@ietf.org>; Wed, 22 Jul 2015 02:56:22 -0700 (PDT)
Received: from localhost (localhost []) by mail.painless-security.com (Postfix) with ESMTP id 0EB0420759; Wed, 22 Jul 2015 05:55:56 -0400 (EDT)
Received: from mail.painless-security.com ([]) by localhost (mail.suchdamage.org []) (amavisd-new, port 10024) with ESMTP id cjftQ7Z8HvDU; Wed, 22 Jul 2015 05:55:55 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 05:55:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 83B0782120; Wed, 22 Jul 2015 05:56:18 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: abfab@ietf.org, josh.howlett@jisc.ac.uk
Date: Wed, 22 Jul 2015 05:56:18 -0400
Message-ID: <tslwpxsy0ql.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/Z8IpNuwl7KSXGQ1fU3ErV7zATHM>
Subject: [abfab] Direction Forward for aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 09:56:23 -0000

Leif, I wanted to write up my understanding of our proposed direction
forward, just in case things take longer than we anticipate  to

During the meeting  Monday we discussed Alejandro's proposal.

He proposes adding two new role descriptor subtypes: Radiusidpdescriptor
and Radiusrpdescriptor.
That seems great.

He proposes adding a RadiusIdpService and RadiusRpService of
EndpointType as well.

In the meeting we discussed that we really aren't specifying an
edpoint.  In particular, the location of the service is implicit in this
RADIUS binding.  It's possible we might describe something in the future
where we included radsec endpoints and keys in metadata, but that's not
what we need now.

However we also discovered that a role descriptor doesn't actually need
any EndpointType subclasses.  So, instead, Alejandro will create a
different extension to rolldescriptor to include the naming information
we need.

This will allow us to avoid registering an unresolvable URI to describe
the security name of a RADIUS entity.

Have I accurately summarized what we discussed?
If so, I'd like to solicit any comments from the list.