Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12

Alejandro Pérez Méndez <> Thu, 10 December 2015 07:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 114391A0025; Wed, 9 Dec 2015 23:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WwUPlvTqve8Y; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0C4251A000D; Wed, 9 Dec 2015 23:32:09 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A41EC63FE; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id HvThTCfru67l; Thu, 10 Dec 2015 08:32:07 +0100 (CET)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by (Postfix) with ESMTPSA id B4F7822BC; Thu, 10 Dec 2015 08:32:03 +0100 (CET)
To: Roni Even <>,
References: <06b101d12dd7$423eb740$c6bc25c0$>
From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= <>
Message-ID: <>
Date: Thu, 10 Dec 2015 08:32:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <06b101d12dd7$423eb740$c6bc25c0$>
Content-Type: multipart/alternative; boundary="------------040905020608060007000303"
Archived-At: <>
Subject: Re: [Gen-art] Gen-ART LC review of draft-ietf-abfab-aaa-saml-12
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Dec 2015 07:32:13 -0000

Dear Roni and chairs of the ABFAB WG,

thank you for the revision. Please, see my responses inline (specially 
the one related to point #2)

El 03/12/15 a las 15:31, Roni Even escribió:
> I am the assigned Gen-ART reviewer for this draft. For background on 
> Gen-ART, please see the FAQ at 
> <>.
> Please resolve these comments along with any other Last Call comments 
> you may receive.
> Document: draft-ietf-abfab-aaa-saml-12
> Reviewer: Roni Even
> Review Date:2015–12-3
> IETF LC End Date: 2015–12-4
> IESG Telechat date:
> Summary: This draft is almost ready for publication as an 
> Informational RFC.
> Major issues:
> Minor issues:
> 1.Why is the RADIUSNasIpAddress a string and not as specified in for 
> example in RFC2865

The RADIUSNasIpAddress is a SAML metadata element, thus it has to comply 
with existing SAML types. The string type allows to encode the "display" 
value of these RADIUS attributes (e.g. "", or "::1"). Note 
that current text specifies that the element contains an acceptable 
value for RADIUS NAS-IP-Address or RADIUS NAS-IPv6-Address attributes, 
so no arbitrary values are accepted nonetheless.

> 2.In general I was wondering why this is an Informational document. It 
> defines procedures and has normative language.

That sounds like kind of an unfortunate bug. For some reason, it changed 
from Standards Track to Informational between versions -00 and -01.
However, we want it standards-track with a normative downreference to 
radsec. Can it be done at this moment or does it require a more complex 

> 3.In the IANA consideration in section 11.1, as far as I understand 
> the IANA attribute type registry you need to ask for values for TBD1 
> and TBD2 from the unassigned space (and not the reserved space)

I agree. I cannot find where we state otherwise, though. Could you point 
the specific text where we say it?

> 4.In step 2 of figure 7 (section 7.2) the text says “In step 2, the 
> Relying Party may optionally issue a <samlp:AuthnRequest> message to 
> be delivered to the Identity Provider using the SAML-Protocol RADIUS 
> attribute.”  My reading is that the rest of the steps are when this 
> message is sent, since it is  “may” what happens if the message is not 
> sent?

If the <AuthnRequest> is not sent, the procedure follows the 
"unsolicited response" (explained in 7.4.4), where the IdP deliveres a 
<samlp:Assertion> element. I agree that step 4 needs to include this 
clarification. The new text should read as:

4.  Identity Provider issues <samlp:Response> to Relying Party
        (Section 7.3.4).  In step 4, the Identity Provider issues a
        <samlp:Response> message to the Relying Party using the SAML
        RADIUS binding.  The response either indicates an error or
        includes a SAML Authentication Statement in exactly one SAML
        Assertion. If the RP did not send an <samlp:AuthnRequest>, the IdP

issues an unsolicited <samlp:Assertion>, as described in section 7.4.4.

> Nits/editorial comments:
>  1. In section 1 please expand ABFAB


> 1.
>  2. In section 7.2, the text says “To implement this scenario, a
>     profile of the SAML Authentication   Request protocol is used in
>     conjunction with the SAML RADIUS binding  defined in Section 4.” I
>     think that the language should be more normative maybe it should
>     say  “To implement this scenario, this profile of the SAML
>     Authentication   Request protocol MUST Be (or SHOULD if there are
>     other options) used in conjunction with the SAML RADIUS binding 
>     defined in Section 4.”

Agree. I think "MUST be" is the one to be used.

Best regards,