RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Sat, 14 February 2009 20:58 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AEDD3A68D7 for <ietf@core3.amsl.com>; Sat, 14 Feb 2009 12:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gVukvAdf+mQ for <ietf@core3.amsl.com>; Sat, 14 Feb 2009 12:58:14 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id A92DB3A6A95 for <ietf@ietf.org>; Sat, 14 Feb 2009 12:58:13 -0800 (PST)
Received: (qmail invoked by alias); 14 Feb 2009 20:58:20 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp042) with SMTP; 14 Feb 2009 21:58:20 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX180X4laO7Q0W2ALktvadAPe2Wb+XB1Hh2n9p3o5vv cp0oytBNdt2IZX
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Sam Hartman' <hartmans-ietf@mit.edu>, 'Josh Howlett' <Josh.Howlett@ja.net>
References: <07d901c98d3e$0fdb9f70$0201a8c0@nsnintra.net><C5B9DD87.327A%mshore@cisco.com><081b01c98d46$d8c731d0$0201a8c0@nsnintra.net><6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk> <tsleiy3wa8b.fsf@live.mit.edu>
Subject: RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Date: Sat, 14 Feb 2009 22:59:12 +0200
Message-ID: <00b001c98ee7$17c13f60$3fb5b70a@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <tsleiy3wa8b.fsf@live.mit.edu>
Thread-Index: AcmNYteVOXYZkLrCRjG4kjJGgs6npwBfcfRQ
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.57
Cc: 'Melinda Shore' <mshore@cisco.com>, tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2009 20:58:15 -0000
Hi Sam, I am aware of some of the authorization mechanisms used in Kerberos (e.g., those introduced by Microsoft). The issue here is a bit different, particularly on the Internet (in comparison to the pure enterprise space). We see a good deal of SSO solutions being deployed. To provide incremental deployment the protocol designers have written their specs in such a way that they do not require end host modifications. It turned out that this is a fairly good idea to find excitement in the industry. It seems that end host changes (even if they are only in the browser) aren't so easy. Many other solutions are theoretically possible to solve the WebSSO problem when you assume end host modifications are possible. Now, the question (for me) is why someone should deploy a new technique that requires end host modifications when they can get a similar result with already widely deployed mechanisms. (Not speaking about the OpenID being fairly popular on the Internet due to it's simple deployment model.) To answer this question, I believe, one has to start with a particular problem / usage scenario. I don't want to prevent anyone from standardizing (or even implementing) new authorization extensions for TLS but all the discussions we see about the IPRs are IMHO a bit over the top. I have a hard time seeing the widespread deployment in front of me. I could be wrong -- we will see in a few years. Ciao Hannes >-----Original Message----- >From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On >Behalf Of Sam Hartman >Sent: 13 February, 2009 00:40 >To: Josh Howlett >Cc: Melinda Shore; Hannes Tschofenig; tls@ietf.org; ietf@ietf.org >Subject: Re: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07 > >>>>>> "Josh" == Josh Howlett <Josh.Howlett@ja.net> writes: > > Josh> I have a long list of applications, collected from within > Josh> this community, with which they would like to use SAML-based > Josh> authorisation; and it seems to me that the ability for > Josh> application protocols to share a common mechanism for > Josh> expressing authorisation would mitigate or perhaps even > Josh> avoid the need to make application-specific authorisation > Josh> extensions. > > >The Kerberos community has many years of experience that >within an infrastructure, carrying authorizations in-band has >been useful and has reduced the effort required to fit an >application into a larger infrastructure. Sometimes it >reduces implementation cost in that sometimes libraries can >automatically handle some aspects of authorization. Mor >often, it reduces the cost of specifying a protocol or >adapting a protocol that was not intended to work within a >given infrastructure to working within the infrastructure. In >many cases, authorization handling becomes a matter for client >libraries and the server implementation, requiring little if >any effort from the client application or any changes to the >client->server protocol. > >As a result, it becomes significantly easier to expand the >authorization system. To a large extent, it becomes a matter >of updating the infrastructure, and updating only one side of >the application. That is a huge savings in deployment and >software engineering complexity. > > > >I would expect that SAML infrastructures could see similar benefits. > >For these reasons I support the publication of a standard in >this space. I don't object to this work going to the TLS >working group provided that >1) it is within their current charter >2) They commit to do the work and have sufficient energy to >move it forward quickly. > >I do object to moving the discussion of whether to solve this >problem to the TLS working group. I don't think that is the >right forum: the TLS working group does not collect the people >who would benefit from this work. > >_______________________________________________ >Ietf mailing list >Ietf@ietf.org >https://www.ietf.org/mailman/listinfo/ietf >
- TLS WG Chair Comments on draft-ietf-tls-authz-07 Eric Rescorla
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Michael StJohns
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Powers Chuck-RXCP20
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Melinda Shore
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Tim Polk
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… SM
- TLS WG Chair Comments on draft-ietf-tls-authz-07 Eric Rescorla
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Hallam-Baker, Phillip
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Steven M. Bellovin
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Alfred Hönes
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Angelos D. Keromytis
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Melinda Shore
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Sam Hartman
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Peter Sylvester
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Pasi.Eronen
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Melinda Shore
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Kemp, David P.
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Kemp, David P.
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett