[abfab] Comments on draft-ietf-abfab-usability-ui-considerations-02
Mark Donnelly <mark@painless-security.com> Tue, 21 July 2015 16:38 UTC
Return-Path: <mark@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 6934C1B2FCE
for <abfab@ietfa.amsl.com>; Tue, 21 Jul 2015 09:38:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5
tests=[BAYES_20=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dcx5tMFMUwOq for <abfab@ietfa.amsl.com>;
Tue, 21 Jul 2015 09:38:05 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com
[23.30.188.241])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3DE041B2F9B
for <abfab@ietf.org>; Tue, 21 Jul 2015 09:38:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mail.painless-security.com (Postfix) with ESMTP id 4D9F420758
for <abfab@ietf.org>; Tue, 21 Jul 2015 12:37:41 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1])
by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id KTCHzzoCrFbW for <abfab@ietf.org>;
Tue, 21 Jul 2015 12:37:40 -0400 (EDT)
Received: from [31.133.137.132] (dhcp-8984.meeting.ietf.org [31.133.137.132])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
bits)) (Client did not present a certificate)
(Authenticated sender: mark@mail.suchdamage.org)
by mail.painless-security.com (Postfix) with ESMTPSA
for <abfab@ietf.org>; Tue, 21 Jul 2015 12:37:40 -0400 (EDT)
To: abfab@ietf.org
From: Mark Donnelly <mark@painless-security.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55AE7563.8080505@painless-security.com>
Date: Tue, 21 Jul 2015 18:37:55 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
Thunderbird/38.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/l85ynlZMDaS0afI7f4lFICy4IvE>
Subject: [abfab] Comments on draft-ietf-abfab-usability-ui-considerations-02
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging,
Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>,
<mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>,
<mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 16:38:07 -0000
Hey all:
My comments on draft-ietf-abfab-usability-ui-considerations-02 follow below.
Cheers,
--Mark
Section 3:
* The paragraph on identity says:
----------------------------------------------------------------
Note that in
other contexts the usual use of "identity" would match our use of
"user", whereas the usual use of "identifier" matches our use of
identity
----------------------------------------------------------------
If other contexts use the terms differently than this document, why
not match those contexts? Wouldn't that be less confusing?
* Trust Anchor
+ This isn't a complete sentence:
----------------------------------------------------------------
Typically a commercial CA to allow authentication via chain of
trust, or a preconfigured non-commercial certificate (e.g.
self-signed).
----------------------------------------------------------------
+ Does the identity selector deal with trust anchors for services
at all? If so, then this should be addressed in section 6.1,
where no mention is made of storing the service's trust
identity.
Section 4:
* another downside of using the OS credentials for identity is that
precludes the idea of authenticating oneself to the OS using ABFAB.
Section 5.1:
* The second paragraph reads:
--------------------------------------------------------------------
Implementers may wish to keep such abstract
concepts, or may wish to examine attempts to map to real world
paradigms, e.g. the idea of using "Identity Cards" that are held
in the user's "Wallet", as used by Microsoft Cardspace.
--------------------------------------------------------------------
The first half of that sentence seems to be missing a word, such
as, "... keep such abstract concepts *hidden*..."
Section 5.3: Why does this section belong under section 5?
Section 6.1:
* The explanation of why the identity selector MUST NOT store
different identities that use the same NAI doesn't make a lot of
sense to me. I agree that duplicating the data would be bad in a
data-normalization sense, but I don't see why you're saying that it
would be dysfunctional as an IETF consideration.
* "Credential" is defined here, but probably deserves an entry in
section 3's terminology list.
* Further, I think that saying, "the identity selector SHOULD store
the credential" isn't descriptive of what we want to happen. A
better phrasing would be that, "the identity selector SHOULD allow
a user to store the credential. However, it MUST NOT store the
credentials without confirmation from the user."
* The trust identity that the selector stores is that of the Identity
Provider, right? This isn't at all clear from this definition.
Section 6.2:
* Why is secure storage a SHOULD instead of a MUST? I'd be happy to
declare that selectors with world-readable storage are not
following this standard.
* Also, you might want to mention the Windows Credentials Manager.
Section 6.3:
* Maybe call the process of putting a new ID in the selector
"assertion"? (feel free to ignore this one if you don't like it)
Section 6.3.2:
* Why force users to enter an NAI into a website before downloading a
trust anchor? Why not give an option of downloading a trust anchor
without any user information, and having the identity selector
prompt the user for all missing bits of required information at
import time? This would prevent people who are eavesdropping on
the website from learning user identities.
Section 6.4.1:
* The document should list restrictions on modification of trust
anchors. For instance, manual modification of a trust anchor
probably doesn't make any sense. Semi-automated (re-do a leap of
faith or something of the sort) modification of it might make
sense, but needs to warn the user that their basis for trusting the
system is changing. Enterprise change pushes probably don't need
any notifications.
Section 6.5:
* Wouldn't it be possible for the desktop to attempt a validation of
the password? For instance, could there be a standard service -
say, "identitymanager" - put in place for every client
installation. Then a user could attempt to authenticate to it, and
determine if the password is incorrect. Heck, maybe that service
could be the process that writes the credential to the permanent
store.
Section 7.1.1, point 1: Doesn't this point contradict section 7.1?
Section 7.1.2:
* The implication here is that rules based association exists solely
for enterprise-provisioned identities. Why would that be
restricted?
* Also, this is missing a period at the end of the sentence.
Section 7.2:
* What kind of authentication failure causes my local client to
dissociate?
Section 7.5:
* The identity selector could:
+ Display OS notifications (Windows system tray, Mac growler, Gnome
notifications) when an identity is used - especially when the
identity is used without any user prompt.
+ Keep a history of identity / service usage to display in the
identity selector application windows
* Could a list of open identity / service mappings be maintained?
Could it be added to during GSS_INIT_SEC_CONTEXT,
GSS_ACCEPT_SEC_CONTEXT, or GSS_IMPORT_SEC_CONTEXT, and removed
whenever the context goes away, either at expiration or as part of
GSS_DELETE_SEC_CONTEXT or GSS_EXPORT_SEC_CONTEXT? This would at
least provide a user with a short list.
Conceptual:
* The trust anchors belong to the IDP realms, right? Wouldn't it make
sense to have two identities within the same realm share a trust
anchor? The document details service to identity mappings, but
identity to trust anchor mappings might merit attention too.
* One of the problems with error handling is that applications have the
responsibility to handle errors, but not all of them do this well.
Would it make sense to hook into GSS_INIT_SEC_CONTEXT and the like,
and record any errors, so that the identity selector can maintain a
list of recently encountered errors? This could be correlated with
the services and identities to show the error log for this service or
this service/identity combination.
- This does get outside of the idea of an "identity selector",
however.
- [abfab] Comments on draft-ietf-abfab-usability-ui… Mark Donnelly
- Re: [abfab] Comments on draft-ietf-abfab-usabilit… Sam Hartman