IETF Logo Mail Archive

[abfab] draft-ietf-abfab-arch-03.txt

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Thu, 16 August 2012 07:09 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F3E21F863C for <abfab@ietfa.amsl.com>; Thu, 16 Aug 2012 00:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.607
X-Spam-Level:
X-Spam-Status: No, score=-102.607 tagged_above=-999 required=5 tests=[AWL=-0.008, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqBTvCNeR5Sh for <abfab@ietfa.amsl.com>; Thu, 16 Aug 2012 00:09:02 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 57EC921F8608 for <abfab@ietf.org>; Thu, 16 Aug 2012 00:09:02 -0700 (PDT)
Received: (qmail invoked by alias); 16 Aug 2012 07:09:00 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.105]) [88.115.216.191] by mail.gmx.net (mp017) with SMTP; 16 Aug 2012 09:09:00 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/hsZMv26bhiX3ewDEw2OIjmXOD1euO7VaR6zuQV2 MTO2dNYtRnFVhe
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 16 Aug 2012 10:09:00 +0300
Message-Id: <ADD81DB2-482C-4EAE-BEE1-897D9E251836@gmx.net>
To: Jim Schaad <ietf@augustcellars.com>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: abfab@ietf.org
Subject: [abfab] draft-ietf-abfab-arch-03.txt
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 07:09:04 -0000

Hi Jim, 

you have shipped an update of the ABFAB architecture draft for the Vancouver IETF meeting and I have only now had a chance to review the changes. Overall, I have to say "Great work." 

I only have a few minor text suggestions: 


   Federated access management has evolved over the last decade through
   such standards as SAML [OASIS.saml-core-2.0-os], OpenID [1], OAuth
   [RFC5849], [I-D.ietf-oauth-v2] and WS-Trust [WS-TRUST]. 
   
   s/such standards as/specifications like 
   
   
   
   Privacy:

      Often a Relying Party does not need to know the identity of a
      Subject to reach an access management decision.  It is frequently
      only necessary for the Relying Party know specific attributes
      about the subject, for example, that the Subject is affiliated
      with a particular organisation or has a certain role or
      entitlement.  Sometimes the RP does not need to know the identity
      of the Subject, but does require a unique identifier for the
      Subject (for example, so that it can recognise the Subject
      subsequently); in this case, it is a common practise for the IdP
      to only release a pseudonym that is specific to that particular
      Relying Party.  Federated access management therefore provides
      various strategies for protecting the Subject's privacy.  Other
      privacy aspects typically of concern are the policy for releasing
      personal data about the Subject from the IdP to the RP, the
      purpose of the usage, the retention period of the data, and many
      more.
      
This paragraph needs to be re-written to something like:

   Data Minimization and User Participation: 
   
      Often a Relying Party does not need to know the identity of a
      Subject to reach an access management decision.  It is frequently
      only necessary for the Relying Party know specific attributes
      about the subject, for example, that the Subject is affiliated
      with a particular organisation or has a certain role or
      entitlement. Sometimes the RP only needs to know a pseudonym 
      of the Subject. 
      
      Prior to the transfer of attributes from the IdP to the RP the 
      consent of the Subject is often explicitly obtained. Along with the 
      transfer of attributes usage constraints and retention policies 
      are enforced by the IdP. 
      
   
1.1.  Terminology

   This document uses identity management and privacy terminology from
   [I-D.iab-privacy-terminology].  In particular, this document uses the
   terms identity provider, relying party, (data) subject, identifier,
   pseudonymity, unlinkability, and anonymity.   
   
   
Please replace the reference to [I-D.iab-privacy-terminology] with a reference to http://tools.ietf.org/html/draft-iab-privacy-considerations since we merged the terminology with the main privacy consideration document. 

We also do not use the term (data) subject anymore but rather individual. I am not sure whether it is worthwhile to change it from subject to individual. 


Section 1.1 lists a table but the table has no title. Why is the 'SASL' row completely empty?
Does SASL, EAP and the GSS-API actually fit in a meaningful way in that table since those are 
all two-party protocols?  

I believe the RADIUS row is wrong. It currently says:

"
   +----------+------------+-------------------+-----------------------+
   | Protocol | Subject    | Relying Party     | Identity Provider     |
   +----------+------------+-------------------+-----------------------+
   | RADIUS   | client     | NAS               | RADIUS server         |
"

but it should say:

"

   +----------+------------+-------------------+-----------------------+
   | Protocol | Subject    | Relying Party     | Identity Provider     |
   +----------+------------+-------------------+-----------------------+
   | RADIUS   | user       | NAS or            | (RADIUS) server       |
   |          |            | (RADIUS) client   |                       |
"

For EAP I would delete the term 'EAP client' since it isn't really defined in the EAP spec (although it is used twice).
EAP client isn't used in this draft. 

Section 1.2:

   Some deployments demand the deployment of sophisticated technical
   infrastructure, including message routing intermediaries, to offer
   the required technical functionality.  In other deployments fewer
   technical components are needed.
   
   
The first sentence sounds a bit strange. Maybe it is better to use

   Some deployments demand the usage of sophisticated technical
   infrastructure, including message routing intermediaries, to offer
   the required technical functionality.  In other deployments fewer
   technical components are needed.
   
   
A note about this sentence: 

   Figure 1 also shows the relationship between the IdP and the Subject.
   Often a real world entity is associated with the Subject; for
   example, a person or some software.
   
At least in the way we have current defined the individual (instead of subject) says:

   $ Individual:   A natural person.
   
The previous definition for subject wasn't different. As such, we don't need to explain that it may be a person and it cannot be software. 

   This relationship would typically involve the IdP
   positively identifying and credentialing the Subject (for example, at
   time of enrollment in the context of employment within an
   organisation).
   
NIST SP 800-63 calls this initial phase identity proofing. Should we re-use that terminology?


   This is sometimes described as the Level of Assurance.
   
Should we reference here NIST SP 800-63 as well since they came up with this concept. 




   Federation does not imposes requirement of an a priori relationship
   or a long-term relationship between the RP and the Subject.
   
   
s/imposes requirement/impose requirements

   Finally, it is important to reiterate that in some scenarios there
   might indeed be a human behind the device denoted as Client and in
   other cases there is no human involved in the actual protocol
   execution.


Hmmm. Wasn't the term for the human subject (or now individual)?


1.3.  Challenges to Contemporary Federation

Shouldn't we write: "Challenges for ..."
Not sure. 

Section 1.4:


   1.   Principal provides an NAI to Application: The client application
        is configured with an NAI.  The provided name contains, at a
        minimum, the realm of an NAI.  The realm represents the IdP to
        be discovered.
        
Here I believe we are talking about EAP, right? The NAI is an EAP/AAA concept. 
So, for example when you give your credentials to the network access application you are in fact provisioning a specific EAP method. 

Section 1.5:

   o  Each party of a transaction will be authenticated, and the client
      will be authorized for access to a specific resource.
      
I believe we have mutual authentication between the EAP peer and the EAP server; we may have mutual authentication between the AAA server and the AAA client. We don't really have the authentication of the Subject to the RP (since the Subject may be anonymous towards the RP). We also do not have a classical authentication of the RP to the Subject/App since the only guarantee we get is the channel binding mechanism (which may not be present, right?)


   o  Hence, the architecture requires no sharing of long term private
      keys.


I believe we should be more specific here: No sharing of the Subject's <-> IdP long term key with the RP. 

Section 2: 


   Other alternatives exist as well and may
   be considered later, such as "TLS using EAP Authentication"
   [I-D.nir-tls-eap].[anchor9]
   
Maybe we remove the [anchor9] thing. 

Section 2.1:

   Communications between the Relying Part and the Identity Provider is
   done by the federation substrate. 

s/Relying Part/Relying Party

   o  Determining the Rules governing the relationship.
   
s/Rules/rules 

   o  Conveying packets between the RP and IdP.
   
s/packets/signaling messages


   o  Providing the means of establishing a trust relationship between
      the RP and the client.   	
      
In the text below it adds:

   The ABFAB protocol
   itself details the method of establishing the trust relationship
   between the RP and the client.
   
I am not sure what this is talking about. Is this trying to hint to the channel binding?

Section 2.1.1:

   The existence
   of these protocols allows us to re-use a pair of existing protocols
   that have been widely deployed and are reasonable well understood.
   
s/reasonable/resonably

   A key
   difference is that today RADIUS is largely transported upon UDP, and
   its use is largely, though not exclusively, intra-domain.  Diameter
   itself was designed to scale to broader uses. 
   
I would rephrase this as:

"
   RADIUS and Diameter are deployed in different environments. RADIUS can often be found in 
   enterprise and university networks, and is also in use by fixed network operators. Diameter, on the other 
   hand, is deployed by mobile operators. 
"

   The
   protocol defines all the necessary new AAA attributes as RADIUS
   attributes, this allows for the same structures and attributes to be
   used in both RADIUS and Diameter.    

Actually, it is not so easy and for that reason there is a separate RADIUS document and 
one for Diameter. So, I would delete this sentence and maybe put references to the drafts. 

Section 2.1.2:

   ABFAB has not formally defined any part of discovery at this point.
   The process of specifying and evaluating the business rules and
   technical policies is too complex to provide a simple framework.
   There is not currently a way to know if a AAA proxy is able to
   communicate with a specific IdP, although this may change with some
   of the routing protocols that are being considered.  At the present
   time, the discovery process is going to be a manual configuration
   process.
   
   
Would it make sense to write this paragrah as follows since the work will progress but this document, once published as an RFC will remain unchanged:

   At the time of writing the discovery process is going to be a manual configuration
   process. Proposals for supporting such a dynamic discovery procedure exist, see [I-D.mrw-abfab-trust-router], 
   and allow an RP to know if a AAA proxy is able to communicate with a specific IdP.     
   
2.1.4.  SAML Assertions

 The new
   profile can be found in RFCXXXX [I-D.ietf-abfab-aaa-saml].
   
--> and in the corresponding Diameter document. 


Throughout this section use s/Assertions/assertions

Section 2.2: 
      
   ABFAB has defined
   and specified a new channel binding mechanism that operates as an EAP
   method for the purpose of agreeing on the identity of the RP.
 
I would write: 

   A new channel binding mechanism that operates as an EAP
   method for the purpose of agreeing on the identity of the RP has been 
   specified in [TBD: whatever that document is].
   
   
Section 2.2.2: 

   A general overview of the problem can be found in
   [I-D.hartman-emu-mutual-crypto-bind].
   The recommended way to deal with channel binding can be found in RFC
   XXXX [I-D.ietf-emu-chbind].
   
I would write: 

   A general overview of the channel binding problem can be found in
   RFC 6677. 
   
   
[I have to continue with the GSS related content later.] 

Ciao
Hannes

v2.23.0 | Report a Bug | By Email