Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
Alejandro Perez Mendez <alex@um.es> Thu, 19 February 2015 14:16 UTC
Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id D17791A8784
for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 06:16:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pFh0NDj22zjp for <abfab@ietfa.amsl.com>;
Thu, 19 Feb 2015 06:16:28 -0800 (PST)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161])
by ietfa.amsl.com (Postfix) with ESMTP id 353891A1A9A
for <abfab@ietf.org>; Thu, 19 Feb 2015 06:16:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by xenon21.um.es (Postfix) with ESMTP id 8D20348F76
for <abfab@ietf.org>; Thu, 19 Feb 2015 15:16:26 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1])
by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id awWPBoG5ZWdV for <abfab@ietf.org>;
Thu, 19 Feb 2015 15:16:26 +0100 (CET)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested) (Authenticated sender: alex)
by xenon21.um.es (Postfix) with ESMTPSA id 600DE416C8
for <abfab@ietf.org>; Thu, 19 Feb 2015 15:16:25 +0100 (CET)
Message-ID: <54E5F038.1080800@um.es>
Date: Thu, 19 Feb 2015 15:16:24 +0100
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: abfab@ietf.org
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es>
<54E5A557.3090603@sunet.se> <B1F69288-3FCF-43F0-A0B9-946F5557875D@cisco.com>
In-Reply-To: <B1F69288-3FCF-43F0-A0B9-946F5557875D@cisco.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/fcjLzrKmdAJ-lTN5B-Ff7r3vH3w>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging,
Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>,
<mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>,
<mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 14:16:31 -0000
El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió: > >> On 19 Feb 2015, at 09:56, Leif Johansson <leifj@sunet.se> wrote: >> >> On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote: >>> Hi Sam, >>> >>> thanks for the review. See my comments below. >>> >>> El 17/02/15 a las 23:49, Sam Hartman escribió: >>>> Section 4: >>>> >>>> I thought we were going to make RADIUS over TLS a MUST not a SHOULD. >>>> Current text says recommended. >>> Whereas version -09 stated once (in section 5.2) that the use of TLS was >>> REQUIRED, along the rest of text it indicated several times this support >>> as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them >>> to the prevailing one. >>> >>> Nevertheless, I think that making TLS a MUST might be limiting. There >>> might be some use case scenarios for this profile where using TLS is not >>> actually required (e.g. other security mechanisms apply). I would see >>> that kind of requirement more for the ABFAB architecture level than for >>> this I-D level. Moreover, in the saml-profiles-2.0-os document, the use >>> of TLS is indicated as RECOMMENDED. >> Speaking as an individual I don't think there are any sane reasons not >> to use TLS if you relax the requirements on credentials administration >> (eg run oportunistic TLS). Having said that I think probably RECOMMENDED >> is strong enough anyway. > speaking as another individual, you could go the route that other drafts have taken and say something like: > > TLS is REQUIRED unless alternative methods are used to ensure confidentiality like IPSEC tunnels or a sufficiently secure internal network. That text sounds quite reasonable to me. I was also thinking in including DTLS as an alternative. Regards, Alejandro > > Klaas > > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab
- [abfab] Review of draft-ietf-abfab-aaa-saml-10 Sam Hartman
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Leif Johansson
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Klaas Wierenga (kwiereng)
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Jim Schaad
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez
- Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 Alejandro Perez Mendez