IETF Logo Mail Archive

RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Sat, 14 February 2009 21:04 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD81B28C0F8 for <ietf@core3.amsl.com>; Sat, 14 Feb 2009 13:04:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.463
X-Spam-Level:
X-Spam-Status: No, score=-2.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tphXLIQElJ+X for <ietf@core3.amsl.com>; Sat, 14 Feb 2009 13:04:58 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 4C5A028C0F5 for <ietf@ietf.org>; Sat, 14 Feb 2009 13:04:58 -0800 (PST)
Received: (qmail invoked by alias); 14 Feb 2009 20:58:25 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp036) with SMTP; 14 Feb 2009 21:58:25 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+pEY5oxGOp3TziiIcVB2oSwuZ2Laj6L3F02ZLL0b I+2fCVVZm6ySgh
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Josh Howlett' <Josh.Howlett@ja.net>, 'Melinda Shore' <mshore@cisco.com>
References: <07d901c98d3e$0fdb9f70$0201a8c0@nsnintra.net><C5B9DD87.327A%mshore@cisco.com> <081b01c98d46$d8c731d0$0201a8c0@nsnintra.net> <6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk> <084f01c98d64$51118b00$0201a8c0@nsnintra.net> <6ED388AA006C454BA35B0098396B9BFB04CD3D2A@uxsrvr20.atlas.ukerna.ac.uk>
Subject: RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Date: Sat, 14 Feb 2009 22:59:17 +0200
Message-ID: <00b101c98ee7$1a391d30$3fb5b70a@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB04CD3D2A@uxsrvr20.atlas.ukerna.ac.uk>
Thread-Index: AcmNOUsifPOne/+8RcqFVJ7RSjvsDAAA9ChwAAH+vPcAAFRa0AAEND6wAALDcLAAFl3XsABJixlA
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.53
Cc: tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2009 21:04:59 -0000

Hi Josh, 

>Hi Hans,
>
>> >Hannes wrote:
>> >> Melinda wrote:
>> >> >
>> >> > and that there are
>> >> > some non-trivial advantages to carrying authorizations in-band.
>> >> Namely... 
>> >
>> >I don't wish to speak for Melinda, but this is a view 
>shared by many 
>> >within my own community.
>> >
>> >I have a long list of applications, collected from within this 
>> >community, with which they would like to use SAML-based
>> authorisation;
>> 
>> Interesting. Any interest to share it with us?
>
>I'm in the process of trying to flesh it out at the moment, in 
>a collaboration with some of the communities concerned, so 
>that we can articulate some concrete use-cases. At the moment 
>the list covers pretty much everything that is presently used 
>in an Inter-Institutional context (AFS, SSH, VNC, RDP, SIP, 
>SMTP, NEA, ...).


Looking forward to see more about it. 

>
>> >and it seems to me that the ability for application
>> protocols to share
>> >a common mechanism for expressing authorisation would mitigate or 
>> >perhaps even avoid the need to make application-specific
>> authorisation
>> >extensions.
>> 
>> My experience: authorization is often related to the specific 
>> application domain.
>
>I agree insofar as 'authorisation' is often an exercise in 
>making statements using semantics that are specific to 
>application domains, but I don't believe it follows that the 
>syntactical and transport elements (that support the semantic 
>expression) also need to be specific to the application domain.
>
>> Furthermore, working on SIP SAML I noticed the problems when you go 
>> down to specific solutions scenarios.
>
>Can you expand?
Look at http://tools.ietf.org/html/draft-ietf-sip-saml-05. 
We started with a specific problem in mind, described in RFC 4484. 
There are obviously different design approaches one can take and SIP is a
complex protocol and hence there are not always point-to-point interactions
making it somewhat difficult to provide similar functionality at a lower
layer. With specific details about the actual authorization statements we
also had a hard time. We published a few specifications (all expired in the
meanwhile) that discussed more or less complex attributes. Examples: 
http://tools.ietf.org/html/draft-schubert-sipping-saml-cpc-02
http://tools.ietf.org/html/draft-schwartz-sipping-spit-saml-01
http://tools.ietf.org/html/draft-jennings-sipping-pay-06

Since you mentioned SIP as one of the usage scenarios in the paragraph above
you might have had other use cases in mind. 

For many of the protocols and usage scenarios it may not even be so obvious
what SAML can actually give you (not even touching the subject of where to
put the SAML assertions).

My fear about SAML in TLS was a history like the following one: 
* Hmmm. SAML becomes popular. We should put it in every protocol. 
* There isn't an extension for TLS defined yet. Let's do it. 
* Now, let's search for the problems it could solve. 


>> >(The fact that SAML-based Web SSO uses SAML that is bound to the 
>> >application-layer is, I believe, only an artifact of a
>> requirement to
>> >avoid modifying contemporary Web browsers and I don't think 
>it is an 
>> >approach that would necessarily be desirable for the general case.)
>> 
>> ... a reasonable transition plan, in my view.
>
>Sure.
>
>> The reason for the success of these IdM solutions, particularly 
>> OpenID.
>
>(Well - OpenID has been a flop in my opinion. It has its uses, 
>but not very interesting ones. But I digress...)

There are different camps, without doubt. Just to point you to one other
opinion -- Jeff Schiller's webblog I recently discovered:
http://qyv.net/jisblog/2007/05/08/identity-on-the-internet/



>
>> >Binding authorisation to TLS, as suggested by this document, is one 
>> >approach that would satisfy the 'common mechanism'
>> >requirement indicated previously.
>> 
>> Looking forward to see your solutions.
>
>I have no answers; I'm still trying to figure out what the 
>questions are :-/

I was referring to the usage scenarios you are working on. 

Btw, I am not suggesting that folks shouldn't spend their time on usage of
authorization in TLS. I am more looking for some of the background of the
work as it often not too obvious from the pure specification. Your pointer
to http://kerberos.org/software/kerbweb.pdf is certainly helpful for a
number of folks -- I have learned it already from Jeff. 

Ciao
Hannes

>
>josh.
>
>JANET(UK) is a trading name of The JNT Association, a company 
>limited by guarantee which is registered in England under No. 
>2881024 and whose Registered Office is at Lumen House, Library 
>Avenue, Harwell Science and Innovation Campus, Didcot, 
>Oxfordshire. OX11 0SG
>

v2.23.0 | Report a Bug | By Email