RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Thu, 12 February 2009 22:49 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A2393A67F1 for <ietf@core3.amsl.com>; Thu, 12 Feb 2009 14:49:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.405
X-Spam-Level:
X-Spam-Status: No, score=-2.405 tagged_above=-999 required=5 tests=[AWL=0.194, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKXyMauVKMZe for <ietf@core3.amsl.com>; Thu, 12 Feb 2009 14:49:41 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 2DB143A6C12 for <ietf@ietf.org>; Thu, 12 Feb 2009 14:49:41 -0800 (PST)
Received: (qmail invoked by alias); 12 Feb 2009 22:49:45 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp010) with SMTP; 12 Feb 2009 23:49:45 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX18MPtVEvDcMJrU1WiXqJL2y5Tgj7U3Xa0SjwAjj5O TyCI4QuJk+3uts
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Josh Howlett' <Josh.Howlett@ja.net>, 'Melinda Shore' <mshore@cisco.com>
References: <07d901c98d3e$0fdb9f70$0201a8c0@nsnintra.net><C5B9DD87.327A%mshore@cisco.com> <081b01c98d46$d8c731d0$0201a8c0@nsnintra.net> <6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk>
Subject: RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Date: Fri, 13 Feb 2009 00:50:34 +0200
Message-ID: <084f01c98d64$51118b00$0201a8c0@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk>
Thread-Index: AcmNOUsifPOne/+8RcqFVJ7RSjvsDAAA9ChwAAH+vPcAAFRa0AAEND6wAALDcLA=
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.59
Cc: tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 22:49:42 -0000

Hi Josh, 

>Hannes wrote:
>> Melinda wrote:
>> >
>> > and that there are
>> > some non-trivial advantages to carrying authorizations in-band.
>> Namely... 
>
>I don't wish to speak for Melinda, but this is a view shared 
>by many within my own community.
>
>I have a long list of applications, collected from within this 
>community, with which they would like to use SAML-based 
>authorisation; 

Interesting. Any interest to share it with us?

>and it seems to me that the ability for 
>application protocols to share a common mechanism for 
>expressing authorisation would mitigate or perhaps even avoid 
>the need to make application-specific authorisation extensions.

My experience: authorization is often related to the specific application
domain.

Furthermore, working on SIP SAML I noticed the problems when you go down to
specific solutions scenarios.

>(The fact that SAML-based Web SSO uses SAML that is bound to 
>the application-layer is, I believe, only an artifact of a 
>requirement to avoid modifying contemporary Web browsers and I 
>don't think it is an approach that would necessarily be 
>desirable for the general case.)

... a reasonable transition plan, in my view. 
The reason for the success of these IdM solutions, particularly OpenID.

>Binding authorisation to TLS, as suggested by this document, 
>is one approach that would satisfy the 'common mechanism' 
>requirement indicated previously.

Looking forward to see your solutions.

Ciao
Hannes

>
>josh.
>
>JANET(UK) is a trading name of The JNT Association, a company 
>limited by guarantee which is registered in England under No. 
>2881024 and whose Registered Office is at Lumen House, Library 
>Avenue, Harwell Science and Innovation Campus, Didcot, 
>Oxfordshire. OX11 0SG
>