Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12

Alejandro Pérez Méndez <alex@um.es> Thu, 10 December 2015 07:32 UTC

Return-Path: <alex@um.es>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114391A0025; Wed, 9 Dec 2015 23:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwUPlvTqve8Y; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4251A000D; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id A41EC63FE; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HvThTCfru67l; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
Received: from [192.168.1.5] (79.109.150.87.dyn.user.ono.com [79.109.150.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon24.um.es (Postfix) with ESMTPSA id B4F7822BC; Thu, 10 Dec 2015 08:32:03 +0100 (CET)
To: Roni Even <ron.even.tlv@gmail.com>, draft-ietf-abfab-aaa-saml.all@tools.ietf.org
References: <06b101d12dd7$423eb740$c6bc25c0$@gmail.com>
From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= <alex@um.es>
Message-ID: <56692A72.1050403@um.es>
Date: Thu, 10 Dec 2015 08:32:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <06b101d12dd7$423eb740$c6bc25c0$@gmail.com>
Content-Type: multipart/alternative; boundary="------------040905020608060007000303"
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/MsXVEIj3gKe_u2wawNk5TSDfouQ>
Cc: gen-art@ietf.org, ietf@ietf.org
Subject: Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 07:32:13 -0000

Dear Roni and chairs of the ABFAB WG,

thank you for the revision. Please, see my responses inline (specially 
the one related to point #2)

El 03/12/15 a las 15:31, Roni Even escribió:
>
> I am the assigned Gen-ART reviewer for this draft. For background on 
> Gen-ART, please see the FAQ at 
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please resolve these comments along with any other Last Call comments 
> you may receive.
>
> Document: draft-ietf-abfab-aaa-saml-12
>
> Reviewer: Roni Even
>
> Review Date:2015–12-3
>
> IETF LC End Date: 2015–12-4
>
> IESG Telechat date:
>
> Summary: This draft is almost ready for publication as an 
> Informational RFC.
>
> Major issues:
>
> Minor issues:
>
> 1.Why is the RADIUSNasIpAddress a string and not as specified in for 
> example in RFC2865
>

The RADIUSNasIpAddress is a SAML metadata element, thus it has to comply 
with existing SAML types. The string type allows to encode the "display" 
value of these RADIUS attributes (e.g. "192.168.1.1", or "::1"). Note 
that current text specifies that the element contains an acceptable 
value for RADIUS NAS-IP-Address or RADIUS NAS-IPv6-Address attributes, 
so no arbitrary values are accepted nonetheless.

> 2.In general I was wondering why this is an Informational document. It 
> defines procedures and has normative language.
>

That sounds like kind of an unfortunate bug. For some reason, it changed 
from Standards Track to Informational between versions -00 and -01.
However, we want it standards-track with a normative downreference to 
radsec. Can it be done at this moment or does it require a more complex 
process?

> 3.In the IANA consideration in section 11.1, as far as I understand 
> the IANA attribute type registry you need to ask for values for TBD1 
> and TBD2 from the unassigned space (and not the reserved space)
>

I agree. I cannot find where we state otherwise, though. Could you point 
the specific text where we say it?

> 4.In step 2 of figure 7 (section 7.2) the text says “In step 2, the 
> Relying Party may optionally issue a <samlp:AuthnRequest> message to 
> be delivered to the Identity Provider using the SAML-Protocol RADIUS 
> attribute.”  My reading is that the rest of the steps are when this 
> message is sent, since it is  “may” what happens if the message is not 
> sent?
>

If the <AuthnRequest> is not sent, the procedure follows the 
"unsolicited response" (explained in 7.4.4), where the IdP deliveres a 
<samlp:Assertion> element. I agree that step 4 needs to include this 
clarification. The new text should read as:


4.  Identity Provider issues <samlp:Response> to Relying Party
        (Section 7.3.4).  In step 4, the Identity Provider issues a
        <samlp:Response> message to the Relying Party using the SAML
        RADIUS binding.  The response either indicates an error or
        includes a SAML Authentication Statement in exactly one SAML
        Assertion. If the RP did not send an <samlp:AuthnRequest>, the IdP

issues an unsolicited <samlp:Assertion>, as described in section 7.4.4.


> Nits/editorial comments:
>
>  1. In section 1 please expand ABFAB
>

Ok

> 1.
>
>
>  2. In section 7.2, the text says “To implement this scenario, a
>     profile of the SAML Authentication   Request protocol is used in
>     conjunction with the SAML RADIUS binding  defined in Section 4.” I
>     think that the language should be more normative maybe it should
>     say  “To implement this scenario, this profile of the SAML
>     Authentication   Request protocol MUST Be (or SHOULD if there are
>     other options) used in conjunction with the SAML RADIUS binding 
>     defined in Section 4.”
>

Agree. I think "MUST be" is the one to be used.

Best regards,
Alejandro