[abfab] abfab@IETF80 minutes
Klaas Wierenga <klaas@cisco.com> Mon, 04 April 2011 14:14 UTC
Return-Path: <klaas@cisco.com>
X-Original-To: abfab@core3.amsl.com
Delivered-To: abfab@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B85B028C100 for <abfab@core3.amsl.com>; Mon, 4 Apr 2011 07:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.199
X-Spam-Level:
X-Spam-Status: No, score=-10.199 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jyLklazzVzz for <abfab@core3.amsl.com>; Mon, 4 Apr 2011 07:13:58 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by core3.amsl.com (Postfix) with ESMTP id 4AE4E3A67FB for <abfab@ietf.org>; Mon, 4 Apr 2011 07:13:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=klaas@cisco.com; l=11431; q=dns/txt; s=iport; t=1301926540; x=1303136140; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=OZpOSgsB9zlWHf4imwJD+tpZgXTzUHHKOsRnxrNYsaE=; b=dzdpSMH3YrytBBLex2ddnzxfK49VeD0opTKdTB6n2cbmHaRMp/nxD/6o dW8v/50t9WhDzMGzO2gHDmoZN7xnVmOfUlkkIAVXCm4R5mwESZYvk2EYM 3XAaUNnF1SR1Vv9HBY2XL/mePwNs7RF2sJkWLZZC6Jxh+qbiC8tR4kTbG 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisEAM3RmU2Q/khMgWdsb2JhbAClYBQBARYmJaQem1CCfoJtBI0j
X-IronPort-AV: E=Sophos;i="4.63,297,1299456000"; d="scan'208";a="24365900"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 04 Apr 2011 14:15:39 +0000
Received: from macmini.wierenga.net (ams-kwiereng-8712.cisco.com [10.55.220.243]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p34EFcCO015061 for <abfab@ietf.org>; Mon, 4 Apr 2011 14:15:39 GMT
Message-ID: <4D99D28A.9040701@cisco.com>
Date: Mon, 04 Apr 2011 16:15:38 +0200
From: Klaas Wierenga <klaas@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "abfab@ietf.org" <abfab@ietf.org>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [abfab] abfab@IETF80 minutes
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 14:14:05 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Please find below the abfab session minutes, with thanks to the note takers and jabber scribes! Klaas & Leif ===== Abfab WG Minutes IETF 80 Prague, Czech Republic Abfab 1: 15.10-16.10 Monday March 28, 2011 Abfab 2: 09.00-11.30 Thursday March 31, 2011 Chairs: Klaas Wierenga <klaas@cisco.com> Leif Johansson <leifj@nordu.net> - ---------------------------------------- abfab 1 (monday) - ---------------------------------------- Note well Note taker established (Stefan Winter) Jabber scribe established (Jeffrey Hutzelman) agenda approved ABFAB Architecture draft (Eliot Lear) - ------------------------------------------------- draft-lear-abfab-arch-02 Josh Howlett (Josh) at mic for privacy considerations: most people think of privacy is on "ethical level" Josh thinks along "keep RP/IdP out of prison" - privacy regulations exist User consent one vehicle for privacy - RPs need some attributes; but not others * user-centric paradigm - let the user disclose everything he wants * non-user-centric: third party releases, e.g. IdP technology needs to provide enough privacy support to satisfy regulations Sean Turner at mic: IESG review comments on security considerations, need to be spelt out in detail Sam Hartman (Sam): on coop with kitten: channel bindings in MS are implemented "kinda cool" - but is not possible with GSS. kitten and abfab work is required to to get similar functionality in (issue is: how to handle not being sure if the other end supports channel binding upfront) Leif: do we need to recharter if normative text sneaks into arch document? Sam suggests operational/implementation best-practice document. Individual submissions solicited. Eliot: text is small though; and informative text can have normative lingo. Hummed: in favor of approach (unanimous, overall low participation, to be confirmed on the list). Leif again solicited individual drafts; for later adoption by WG. ABFAB Use-Cases (Rhys Smith) - -------------------------------------------- draft-abfab-usecases-00 Aaron Falk (BBN): Geni project uses federated identity for access to testbeds. Use case: access to networking resources. Aaron will read the draft to see how it fits in. Jim Schaad: plug for plasma BOF. plasma should be building on ABFAB. Use case: distribution of stuff over mail protocol; but need federated access to these. Show of hands: 2 readers of draft; needs more input from community. Leif encourages everybody to read! Presentation of Project Moonshot (Sam Hartman) - ----------------------------------------------------------------- Abfab VM was tried out: proof of concept showed to work indeed Leif: doing UI work is in charter, work waiting to be done - will discuss in abfab2 Sam: SAML is being used differently than usual - leads to authorization question: need to request attributes on behalf of someone else. Sam: not ready for production use at all! Play with it only. - ---------------------------------------- abfab 2 (thursday) - ---------------------------------------- Note well Note taker established (Linus Nordberg) Jabber scribe established (Melinda Shore) agenda approved GSS-EAP (Sam Hartman) - -------------------------------------------- - - slide "name format": Jeffrey Hutzelman (jhutz): there's a bug in the name format - on anonymous: wellknown/ANONYMOUS is used, but sending empty ("") in RADIUS jhutz: make GSS look less like Kerberos Sam: minimizing implementation costs but this anonymous case probably stretches it Jhutz: worth examining to use empty but don't forget the anonymous flag Leif: charter doesn't mention Kerberos Lucy Lynch: abfab is not only about Moonshot. please avoid confusion. Jhutz: 1. the accessor might not know [acceptor?] due to multiple hops Leif: ask kitten to revisit anonymous for gss? sam: not yet. Jhutz: they might take a long time to come up with an answer better than what sam is saying here and what kerberos already has. Leif: moonshot does things that doesn't correspond to anything in the spec? Sam Hartman on the subject of name formats: We will do the following: 1. fix the abnf to note problems with "anonymous" using a slash when you don't have a host component 2. specify anon behavior. empty name is the best. 3. document realm anonymous name and the implications of it 4. dicusss i8n - slide "eap method req" - should we say "always eap channel binding" or only when mutual authn is being done? no reply. sam: please have opinion on list. sam: should i explain it here or? for reasons of time constraints, no. - "proposed solution" - strong opinion on names? no response. - "requirement for MIC" - [RFC 3961 doesn't have an incremental hash -- implementer will have to store full state before being able to send it. client need memory to hold the complete conversation. large cookies might be another the effect.] Jim Schaad: what if i want to carry on a conversation _before_ i've been at an idp? sam: PLASMA case, the blob shouldn't be a part of the request, perhaps only a hash of the blob. Jim: layering problem. Jhutz: application like imap, before sasl gss server says mech support here, then some roundtrips, if imap + starttls and then you want to autn again but you'd have to renegotiate. Leif: PLASMA is an important use case but we need to finish this. please repeat the three options. Sam on the options for MIC: - opt 1. integrity protect each token, f.ex. the flags token - opt 2. signon a hash function, EAP+<3961-enctype>+<hashfunc> - opt 3. use large tokens - opt 4. don't integrity protect large thingies (bad option!) Sam: the maximum complexity for opt 1 might be substantial Luke: opt 5. would be revise 3961 and couldn't we put this in GSS channel binding? Sam: need help from someone who understands RADIUS VSA's and 2. how do i register an entry with IANA - Hannes Tschofenig will help Sam with RADIUS VSA's and how to register with IANA RADIUS atttrib for SAML (Josh Howlett) - -------------------------------------------- - PLASMA is going with either ws-trust or abfab Josh: jim, do do use SAML for your "PDP's"? Jim: this isn't relevant for conversation between client and service Leif: the IdP can combine them Scott Cantor: more than one assertion in a response Luke Howard: standard RADIUS AVP? Josh: yes. * Diameter attributes for SAML (Mark Jones) - -------------------------------------------- - extending diameter EAP with new AVPs - DER: SAML-AuthnRequest AVP - DEV: SAML-AuthnRespnse AVP, SAML-Assertion AVP Josh: difference to radius is you define attributes for specific SAML attribs while we have a generic attrib. reason? Hannes: easier to read, no real semantic difference. Josh: makes sense. we would put it in a AAA binding document, glad for guidance from SAML ppl. scott: re SAML binding, we said only request/response because the binding wasn't supposed to be a protocol. Josh: if "we" took the same position, we're running out of RADIUS attr space (not considering extended attrib proposal). Sam: hop-by-hop trpt layer security? hannes: TLS and IP-sec. Scott: an analogy: in http we have explicit routing thanks to urls. Mark: a proxy should be able to pass along without understanding the payload] Josh: since SAML2 was std 2005 there has been only one new protocol defined Scott: new protocols are not a big deal] Leif (as individual): you will need attribute query Sam: think we should use a single AVP unless there are needs for more Mark: if we return EAP success... sam: in radius we don't have cirticial restrictions on success and if we need it, let's do it together for RADIUS and diameter. Leif calls for hums: 1. more or less in the right direction? 2. adopt as a wg docu? Sam: what if we want to say 1 attrib rather than 2, how do i hum on number 1? Leif: adoption means that change ctrl goes to the wg. Melinda Shore: is this a showstopper for anyone? no replies. Leif: do you want to decide "this" (one or several AVPs for diameter) before huming on adoption? result: no. Leif: humming on adoption. result: yes, wg should adopt. Action: confirm adoption of draft-jones-diameter-abfab as WG document as draft-ietf-abfab-diameter with Mark Jones and Hannes Tschofenig as document editors on list. KNP - Key Negotiaion Protocol (Josh Howlett) - -------------------------------------------- Eliot Lear: flat files laying around? Josh: yes, and that's an administrative problem. Dave Crocker: how can TLS be not hop-by-hop? conclusion: _trust_ is no longer path-based [?]] Sam: the routing has similar properties as bgp, but unlike dns each hop may have policy and do filtering Sam: you shouldn't have to run your own introducer if you're too small Jim: is this really abfab? how do the trusted router fit in the charter? [josh: you _could_ have introducers w/o trust routers but it doesn't buy you much.] Leif: this is an invited presentation and not a question of adoption. this is partially a problem statement document and i suggest splitting the document in two parts Mark: s/radius/radius or diameter/g. Josh: ack. Mark: introducer == broker? Josh: yes. Eliot: useful and interesting presentation, we need ways to deal with larger and higher numbers of federations. NFSv4 (Andy Adamson) - -------------------------------------------- - - Won't happen since Andy isn't in the room and also we're running out of time. Milestones update - -------------------------------------------- Leif: - - emsk will possibly been removed since not used - - eap applicabililty is getting done by Joe Salowey and Stefan Winter - - lacking UI usability doc still. question: anyone done anything re this? Rhys: Janet has some work on UI going on within Moonshot and they will write an IETF document and Rhys will coedit it. Leif stares at Bob. Bob Morgan: i can be persuaded to work with Rhys on this because of kantara ULX involvement. Leif: Will the documents slip? silence means no. result: silence. Rhys: august might be tough. Josh: no, that's fine. [:-)] * OID registry (Rhys Smith) - -------------------------------------------- - - got an oid from iana: 1.3.6.1.5.5.15 Jhutz: why reimplement? Sam: backwards incompat changes. making gss-eap in the next version. - - Rhys asks implementers to let him know when OID's under abfab arc are used. Closing - ------- The chairs close the meeting -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Z0ooACgkQH2Wy/p4XeFJQmQCePoUeJiFFiSfWY/IswVgnWtL6 plAAoL5FeKglPnXPEtyx3srt0bp1EycT =msJK -----END PGP SIGNATURE-----
- [abfab] abfab@IETF80 minutes Klaas Wierenga