IETF Logo Mail Archive

RE: [dix] Agenda bashing

"Hallam-Baker, Phillip" <pbaker@verisign.com> Thu, 06 July 2006 13:18 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyTkv-0004mX-DT; Thu, 06 Jul 2006 09:18:57 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FyTku-0004ks-Bj for dix@ietf.org; Thu, 06 Jul 2006 09:18:56 -0400
Received: from colibri.verisign.com ([65.205.251.74]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FyTkt-0004Ip-04 for dix@ietf.org; Thu, 06 Jul 2006 09:18:56 -0400
Received: from MOU1WNEXCN03.vcorp.ad.vrsn.com (mailer6.verisign.com [65.205.251.33]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id k66DIshd023372 for <dix@ietf.org>; Thu, 6 Jul 2006 06:18:54 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 6 Jul 2006 06:18:53 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [dix] Agenda bashing
Date: Thu, 06 Jul 2006 06:18:46 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37BD5F42@MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dix] Agenda bashing
Thread-Index: Acag9Vglt2Pj+TTxTfm5hPCr/LUF+QAB9P9A
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Digital Identity Exchange <dix@ietf.org>
X-OriginalArrivalTime: 06 Jul 2006 13:18:53.0707 (UTC) FILETIME=[BA75FDB0:01C6A0FE]
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

> From: Ben Laurie [mailto:benl@google.com] 

> This seems like a worthy goal, but one that is perhaps 
> orthogonal to other means of authenticating users. Certainly 
> I'd be violently opposed to requiring users to have smartcards.

Violently?

The authentication infrastructure should enable use of any form of authentication mechanism. SAML already supports this. It is clearly an achievable goal that does not place an undue burden on the design.

What we do not need to do is to support selection of selection mechanisms so the user gets a choice of GSSAPI, SAML, WS-*, SASL which in turn give a choice between every imaginable protocol.

We need one way to authenticate via the common authentication mechanisms: Passwords, Two Factor (OTP) Passwords, PKI signature, PKI encryption, Passthrough of biometric data capture.

All of these can be supported in a simple client - relying party - authentication service scheme where the client never talks to the auth server directly. 

I do not think that we need to provide direct support multiple round trip protocols such as some of the more complex zero knowledge schemes. In those cases the simplest scheme is for the client to talk to the authentication service directly. 

It is in any case desirable to have direct contact between the user and the auth-N service in the case of password schemes to prevent certain forms of MIM attack.


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email