Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12
Alejandro Pérez Méndez <alex@um.es> Thu, 10 December 2015 07:32 UTC
Return-Path: <alex@um.es>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114391A0025; Wed, 9 Dec 2015 23:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwUPlvTqve8Y; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4251A000D; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id A41EC63FE; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HvThTCfru67l; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
Received: from [192.168.1.5] (79.109.150.87.dyn.user.ono.com [79.109.150.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon24.um.es (Postfix) with ESMTPSA id B4F7822BC; Thu, 10 Dec 2015 08:32:03 +0100 (CET)
To: Roni Even <ron.even.tlv@gmail.com>, draft-ietf-abfab-aaa-saml.all@tools.ietf.org
References: <06b101d12dd7$423eb740$c6bc25c0$@gmail.com>
From: Alejandro Pérez Méndez <alex@um.es>
Message-ID: <56692A72.1050403@um.es>
Date: Thu, 10 Dec 2015 08:32:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <06b101d12dd7$423eb740$c6bc25c0$@gmail.com>
Content-Type: multipart/alternative; boundary="------------040905020608060007000303"
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/MsXVEIj3gKe_u2wawNk5TSDfouQ>
Cc: gen-art@ietf.org, ietf@ietf.org
Subject: Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 07:32:13 -0000
Dear Roni and chairs of the ABFAB WG, thank you for the revision. Please, see my responses inline (specially the one related to point #2) El 03/12/15 a las 15:31, Roni Even escribió: > > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments > you may receive. > > Document: draft-ietf-abfab-aaa-saml-12 > > Reviewer: Roni Even > > Review Date:2015–12-3 > > IETF LC End Date: 2015–12-4 > > IESG Telechat date: > > Summary: This draft is almost ready for publication as an > Informational RFC. > > Major issues: > > Minor issues: > > 1.Why is the RADIUSNasIpAddress a string and not as specified in for > example in RFC2865 > The RADIUSNasIpAddress is a SAML metadata element, thus it has to comply with existing SAML types. The string type allows to encode the "display" value of these RADIUS attributes (e.g. "192.168.1.1", or "::1"). Note that current text specifies that the element contains an acceptable value for RADIUS NAS-IP-Address or RADIUS NAS-IPv6-Address attributes, so no arbitrary values are accepted nonetheless. > 2.In general I was wondering why this is an Informational document. It > defines procedures and has normative language. > That sounds like kind of an unfortunate bug. For some reason, it changed from Standards Track to Informational between versions -00 and -01. However, we want it standards-track with a normative downreference to radsec. Can it be done at this moment or does it require a more complex process? > 3.In the IANA consideration in section 11.1, as far as I understand > the IANA attribute type registry you need to ask for values for TBD1 > and TBD2 from the unassigned space (and not the reserved space) > I agree. I cannot find where we state otherwise, though. Could you point the specific text where we say it? > 4.In step 2 of figure 7 (section 7.2) the text says “In step 2, the > Relying Party may optionally issue a <samlp:AuthnRequest> message to > be delivered to the Identity Provider using the SAML-Protocol RADIUS > attribute.” My reading is that the rest of the steps are when this > message is sent, since it is “may” what happens if the message is not > sent? > If the <AuthnRequest> is not sent, the procedure follows the "unsolicited response" (explained in 7.4.4), where the IdP deliveres a <samlp:Assertion> element. I agree that step 4 needs to include this clarification. The new text should read as: 4. Identity Provider issues <samlp:Response> to Relying Party (Section 7.3.4). In step 4, the Identity Provider issues a <samlp:Response> message to the Relying Party using the SAML RADIUS binding. The response either indicates an error or includes a SAML Authentication Statement in exactly one SAML Assertion. If the RP did not send an <samlp:AuthnRequest>, the IdP issues an unsolicited <samlp:Assertion>, as described in section 7.4.4. > Nits/editorial comments: > > 1. In section 1 please expand ABFAB > Ok > 1. > > > 2. In section 7.2, the text says “To implement this scenario, a > profile of the SAML Authentication Request protocol is used in > conjunction with the SAML RADIUS binding defined in Section 4.” I > think that the language should be more normative maybe it should > say “To implement this scenario, this profile of the SAML > Authentication Request protocol MUST Be (or SHOULD if there are > other options) used in conjunction with the SAML RADIUS binding > defined in Section 4.” > Agree. I think "MUST be" is the one to be used. Best regards, Alejandro
- [Gen-art] Gen-ART LC review of draft-ietf-abfab-a… Roni Even
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Alejandro Pérez Méndez
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Stephen Farrell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Scott Bradner
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Klaas Wierenga (kwiereng)
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Klaas Wierenga (kwiereng)
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Stephen Farrell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Sam Hartman
- Re: [Gen-art] Gen-ART LC review of draft-ietf-abf… Stephen Farrell