IETF Logo Mail Archive

Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10

"Jim Schaad" <ietf@augustcellars.com> Thu, 19 February 2015 19:16 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50A91A0039 for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 11:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AEzjIN0WX41N for <abfab@ietfa.amsl.com>; Thu, 19 Feb 2015 11:16:35 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37FE31A0023 for <abfab@ietf.org>; Thu, 19 Feb 2015 11:16:35 -0800 (PST)
Received: from Philemon (96-41-163-75.dhcp.mdfd.or.charter.com [96.41.163.75]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id A391B2CA49; Thu, 19 Feb 2015 11:16:34 -0800 (PST)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Alejandro Perez Mendez'" <alex@um.es>, <abfab@ietf.org>
References: <tsloaosrw4v.fsf@mit.edu> <54E59831.10108@um.es> <54E5A557.3090603@sunet.se> <B1F69288-3FCF-43F0-A0B9-946F5557875D@cisco.com> <54E5F038.1080800@um.es>
In-Reply-To: <54E5F038.1080800@um.es>
Date: Thu, 19 Feb 2015 11:15:44 -0800
Message-ID: <021701d04c78$75eeb8b0$61cc2a10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
thread-index: AQJZq/H8Ui9x/9Wg310zZknKKkTVXQD7W0kKASR6v6gAzTka3wIXypPdm71xgJA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/jLDIk9kKxuDGbORF3NkPGpaosSU>
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 19:16:37 -0000


> -----Original Message-----
> From: abfab [mailto:abfab-bounces@ietf.org] On Behalf Of Alejandro Perez
> Mendez
> Sent: Thursday, February 19, 2015 6:16 AM
> To: abfab@ietf.org
> Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
> 
> 
> El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió:
> >
> >> On 19 Feb 2015, at 09:56, Leif Johansson <leifj@sunet.se> wrote:
> >>
> >> On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
> >>> Hi Sam,
> >>>
> >>> thanks for the review. See my comments below.
> >>>
> >>> El 17/02/15 a las 23:49, Sam Hartman escribió:
> >>>> Section 4:
> >>>>
> >>>> I thought we were going to make RADIUS over TLS a MUST not a
> SHOULD.
> >>>> Current text says recommended.
> >>> Whereas version -09 stated once (in section 5.2) that the use of TLS
> >>> was REQUIRED, along the rest of text it indicated several times this
> >>> support as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just
> >>> homogenized them to the prevailing one.
> >>>
> >>> Nevertheless, I think that making TLS a MUST might be limiting.
> >>> There might be some use case scenarios for this profile where using
> >>> TLS is not actually required (e.g. other security mechanisms apply).
> >>> I would see that kind of requirement more for the ABFAB architecture
> >>> level than for this I-D level. Moreover, in the saml-profiles-2.0-os
> >>> document, the use of TLS is indicated as RECOMMENDED.
> >> Speaking as an individual I don't think there are any sane reasons
> >> not to use TLS if you relax the requirements on credentials
> >> administration (eg run oportunistic TLS). Having said that I think
> >> probably RECOMMENDED is strong enough anyway.
> > speaking as another individual, you could go the route that other drafts
> have taken and say something like:
> >
> > TLS is REQUIRED unless alternative methods are used to ensure
> confidentiality like IPSEC tunnels or a sufficiently secure internal
network.
> 
> That text sounds quite reasonable to me. I was also thinking in including
DTLS
> as an alternative.

In my mind DTLS would be acceptable if one says TLS is required.  They are
the same basic mechanism in my mind.  However the use of DTLS in this
scenario is going to be somewhat problematic as it would lead to even more
fragmenting.  The big reason for using TLS/IP rather than DTLS is the
upcoming support for large packets.  

Not clear that the large packet draft is written to allow it to be used in a
non-TLS situation.  Probably need to verify that it is if we want to include
things like IPsec as options

Jim

> 
> Regards,
> Alejandro
> >
> > Klaas
> >
> >
> > _______________________________________________
> > abfab mailing list
> > abfab@ietf.org
> > https://www.ietf.org/mailman/listinfo/abfab
> 
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab

v2.8.7 | Report a Bug | By Email