[abfab] draft-ietf-abfab-usability-considerations review

Sam Hartman <hartmans@painless-security.com> Tue, 21 July 2015 11:06 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7151A00A8 for <abfab@ietfa.amsl.com>; Tue, 21 Jul 2015 04:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3F-pRpU9yVM for <abfab@ietfa.amsl.com>; Tue, 21 Jul 2015 04:06:11 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85C491A009F for <abfab@ietf.org>; Tue, 21 Jul 2015 04:06:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id EC77C2074F for <abfab@ietf.org>; Tue, 21 Jul 2015 07:05:47 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4D8zOksXbOin for <abfab@ietf.org>; Tue, 21 Jul 2015 07:05:47 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-9886.meeting.ietf.org [31.133.152.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for <abfab@ietf.org>; Tue, 21 Jul 2015 07:05:47 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 21CD482120; Tue, 21 Jul 2015 07:06:08 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: abfab@ietf.org
Date: Tue, 21 Jul 2015 07:06:08 -0400
Message-ID: <tslbnf522jj.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/ewpI1KqDWfNhxsu7Myj34vXTZGw>
Subject: [abfab] draft-ietf-abfab-usability-considerations review
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 11:06:13 -0000

Section 3 and 6.
Trust anchor is described as either being the trust anchor for a service
or identity provider.
In section 6 the document talks about trust anchors for servers.
IN the scope of this document we only care about trust anchors for
identity provider.
I recommend narrowing the definition in section 3 and using more
specific terminology in section 6.

Section 6.1
The biggest reason we don't want to store multiple identities with a the
same NAI is that by passing in a NAI to gss_acquire_creds the
application can force the choice of a given NAI.

Section 8:

Section 8 implies that the identity selector will be in a position to
decide what errors to present to the user.
I don't think that's very likely to be true.
The GSS application is likely to decide what errors to present to the
user.

The identity selector is in a position to decide what if any automated
actions to take based on the error.


Section 8/9 should discuss the success but useless case.
That is, I am successfully authenticated and an app layer connection is
accepted, but I don't have the permissions I need.
Think about the case where I was hoping to be a moonshot management
portal admin, but end up being a random user.  I was hoping to create an
organisation but all I can do is create communities.
I'm not sure if it is an error or a success.

I think section 8 and 9 could also do a better job of clarifying what it
means for errors to be reported at different layers.  For example in
SASL, authorization failures will probably not come back as a GSS error,
but instead either as a dropped connection or as an app-level error.

--Sam