[abfab] Comments on draft-ietf-abfab-aaa-saml-05
"Jim Schaad" <jimsch@augustcellars.com> Tue, 26 February 2013 19:26 UTC
Return-Path: <jimsch@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 623EC21F8869 for <abfab@ietfa.amsl.com>; Tue, 26 Feb 2013 11:26:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.282
X-Spam-Level:
X-Spam-Status: No, score=-1.282 tagged_above=-999 required=5 tests=[AWL=2.317, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQ9hTd24bD9a for <abfab@ietfa.amsl.com>; Tue, 26 Feb 2013 11:26:48 -0800 (PST)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 3F95A21F8825 for <abfab@ietf.org>; Tue, 26 Feb 2013 11:26:48 -0800 (PST)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id A3F6B38F18; Tue, 26 Feb 2013 11:26:47 -0800 (PST)
From: Jim Schaad <jimsch@augustcellars.com>
To: draft-ietf-abfab-aaa-saml@tools.ietf.org
Date: Tue, 26 Feb 2013 11:26:15 -0800
Message-ID: <018001ce1457$252783e0$6f768ba0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4TyEadmLXoDEkVS0CNvOS1EndVaQ==
Content-Language: en-us
Cc: abfab@ietf.org
Subject: [abfab] Comments on draft-ietf-abfab-aaa-saml-05
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 19:26:49 -0000
Josh and Sam, This looks much more like the discussion that we had after the last IETF meeting so I am generally happy. 1. I think inserting a paragraph start at "The name identifier..." will make it clearer which artifacts are designed to be used in ABFAB scenarios and which are designed for more universal usage. 2. In section 2 for the last bullet point in the first list - should this be the subject of an assertion or the subject of a protocol message? I am always very unclear about SAML naming of items. However this confirmation method can be in both a SAML assertion and in a query (i.e. AttributeQuery). 3. In section 5.2 - I am not happy with the single reference to RADSEC as being the required. I would be more happy if the profile required either TLS/UDP or TLS/TCP as required. Either that or TLS/TCP should be recommended. I am worried that without this there might be an issue with people thinking it is restricted to UDP. Note that for longer messages you probably really want to require the TLS/TCP version not the DTLS/UDP version. 4. In section 5.2 - I have probably said this before, I am not really a big fan of the use of language such as "MAY transmit a SAML request". If you don't do the request how can one say that you are acting as a SAML requester. A similar statement is also made for the second item. Just say "returns a SAML protocol message" and then talk about reasons that you might not wish to do so. 5. In section 5.2 - s/responder MAY also return/responder MAY return/ - it might be read as saying you could return two even though that is explicitly forbidden. 6. In section 5.2 - I think we should probably add the following paragraph: SAML responders SHOULD return a RADIUS state attribute as part of the Access-Accept message so that future SAML queries can be run against the same context of an authentication exchange. 7. In section 6 - update the reference for NAI to draft-ietf-radext-nai 8. In section 7.3.3 - I am not sure that the dependence on the abfab document at the end of the section makes sense. For example, why should the EAP method support channel binding in order to return a SAML response? I think that one can restrict the requirements to those in the AuthnRequest and those necessitated by the application (whatever the application). You probably just missed this in the general ABFAB removal. 9. In section 7.4.1 - I think the second paragraph can be removed and placed in section 7.4.2. It is not related to the AuthnRequest but to the Response. 10. In section 7.4.2 - I think we might need to make a statement about returning no subject identifier and the correct interaction with the AllowCreate attribute. If the IdP is not going to return a name, but is just returning a subject conformation that says - the user associated with this conversation - is this to be considered a "new identity" for the user? 11. In section 7.4.2 - I have a problem with the last bullet point. I would be happier if the text looked more like: Other conditions MAY be included as requested by the Relying Party or at the discretion of the Identity Provider. The Identity Provider is not obligated to honor the requested set of conditions in the <samlp:AuthnRequest>, if any. If the Identity Provider does not honor the requested set of conditions is MUST either not return a <samlp:Response> message or return a <samlp:Response> message with an error. 12. In section 9. I think in this case it would be useful to have an informational reference to TEAP about mapping these from an EAP method to the URIs specified. s/artefacts/artifacts/
- [abfab] Comments on draft-ietf-abfab-aaa-saml-05 Jim Schaad
- Re: [abfab] Comments on draft-ietf-abfab-aaa-saml… Josh Howlett
- Re: [abfab] Comments on draft-ietf-abfab-aaa-saml… Cantor, Scott
- Re: [abfab] Comments on draft-ietf-abfab-aaa-saml… Jim Schaad
- Re: [abfab] Comments on draft-ietf-abfab-aaa-saml… Josh Howlett