RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07

"Josh Howlett" <Josh.Howlett@ja.net> Thu, 12 February 2009 21:47 UTC

Return-Path: <Josh.Howlett@ja.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC5A53A672F; Thu, 12 Feb 2009 13:47:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6v3cImwBDxBD; Thu, 12 Feb 2009 13:47:41 -0800 (PST)
Received: from umhost1.ukerna.ac.uk (umhost1.ukerna.ac.uk [193.62.83.67]) by core3.amsl.com (Postfix) with ESMTP id EE5A328C226; Thu, 12 Feb 2009 13:47:40 -0800 (PST)
Received: from har003676.ukerna.ac.uk ([194.82.140.75]) by umhost1.ukerna.ac.uk with esmtp (Exim 4.50) id 1LXjPJ-0006Uf-5O; Thu, 12 Feb 2009 21:47:41 +0000
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 3E2124A6B27_99498F1B; Thu, 12 Feb 2009 21:47:29 +0000 (GMT)
Received: from uxsrvr20.atlas.ukerna.ac.uk (uxsrvr20.ukerna.ac.uk [193.62.83.209]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 24C084A6A7D_99498EBF; Thu, 12 Feb 2009 21:47:23 +0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Date: Thu, 12 Feb 2009 21:47:32 -0000
Message-ID: <6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk>
In-Reply-To: <081b01c98d46$d8c731d0$0201a8c0@nsnintra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Thread-Index: AcmNOUsifPOne/+8RcqFVJ7RSjvsDAAA9ChwAAH+vPcAAFRa0AAEND6w
References: <07d901c98d3e$0fdb9f70$0201a8c0@nsnintra.net><C5B9DD87.327A%mshore@cisco.com> <081b01c98d46$d8c731d0$0201a8c0@nsnintra.net>
From: Josh Howlett <Josh.Howlett@ja.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Melinda Shore <mshore@cisco.com>
Cc: Josh Howlett <Josh.Howlett@ja.net>, tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 21:47:41 -0000

Hannes wrote:
> Melinda wrote:
> >
> > and that there are
> > some non-trivial advantages to carrying authorizations in-band.
> Namely... 

I don't wish to speak for Melinda, but this is a view shared by many
within my own community.

I have a long list of applications, collected from within this
community, with which they would like to use SAML-based authorisation;
and it seems to me that the ability for application protocols to share a
common mechanism for expressing authorisation would mitigate or perhaps
even avoid the need to make application-specific authorisation
extensions.

(The fact that SAML-based Web SSO uses SAML that is bound to the
application-layer is, I believe, only an artifact of a requirement to
avoid modifying contemporary Web browsers and I don't think it is an
approach that would necessarily be desirable for the general case.)

Binding authorisation to TLS, as suggested by this document, is one
approach that would satisfy the 'common mechanism' requirement indicated
previously.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG