RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
"Josh Howlett" <Josh.Howlett@ja.net> Fri, 13 February 2009 09:40 UTC
Return-Path: <Josh.Howlett@ja.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 822713A68E7; Fri, 13 Feb 2009 01:40:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ir0JSu+Q40fl; Fri, 13 Feb 2009 01:40:46 -0800 (PST)
Received: from umhost1.ukerna.ac.uk (umhost1.ukerna.ac.uk [193.62.83.67]) by core3.amsl.com (Postfix) with ESMTP id 9813B3A684A; Fri, 13 Feb 2009 01:40:46 -0800 (PST)
Received: from har003676.ukerna.ac.uk ([194.82.140.75]) by umhost1.ukerna.ac.uk with esmtp (Exim 4.50) id 1LXuXQ-0006mn-4g; Fri, 13 Feb 2009 09:40:48 +0000
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 47E8D4A6B1F_9954013B; Fri, 13 Feb 2009 09:40:35 +0000 (GMT)
Received: from uxsrvr20.atlas.ukerna.ac.uk (uxsrvr20.ukerna.ac.uk [193.62.83.209]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 24E344A6B7D_995400DF; Fri, 13 Feb 2009 09:40:29 +0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Date: Fri, 13 Feb 2009 09:40:46 -0000
Message-ID: <6ED388AA006C454BA35B0098396B9BFB04CD3D2A@uxsrvr20.atlas.ukerna.ac.uk>
In-Reply-To: <084f01c98d64$51118b00$0201a8c0@nsnintra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] TLS WG Chair Comments on draft-ietf-tls-authz-07
Thread-Index: AcmNOUsifPOne/+8RcqFVJ7RSjvsDAAA9ChwAAH+vPcAAFRa0AAEND6wAALDcLAAFl3XsA==
References: <07d901c98d3e$0fdb9f70$0201a8c0@nsnintra.net><C5B9DD87.327A%mshore@cisco.com> <081b01c98d46$d8c731d0$0201a8c0@nsnintra.net> <6ED388AA006C454BA35B0098396B9BFB04CD3CC5@uxsrvr20.atlas.ukerna.ac.uk> <084f01c98d64$51118b00$0201a8c0@nsnintra.net>
From: Josh Howlett <Josh.Howlett@ja.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Melinda Shore <mshore@cisco.com>
Cc: Josh Howlett <Josh.Howlett@ja.net>, tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2009 09:40:47 -0000
Hi Hans, > >Hannes wrote: > >> Melinda wrote: > >> > > >> > and that there are > >> > some non-trivial advantages to carrying authorizations in-band. > >> Namely... > > > >I don't wish to speak for Melinda, but this is a view shared by many > >within my own community. > > > >I have a long list of applications, collected from within this > >community, with which they would like to use SAML-based > authorisation; > > Interesting. Any interest to share it with us? I'm in the process of trying to flesh it out at the moment, in a collaboration with some of the communities concerned, so that we can articulate some concrete use-cases. At the moment the list covers pretty much everything that is presently used in an Inter-Institutional context (AFS, SSH, VNC, RDP, SIP, SMTP, NEA, ...). > >and it seems to me that the ability for application > protocols to share > >a common mechanism for expressing authorisation would mitigate or > >perhaps even avoid the need to make application-specific > authorisation > >extensions. > > My experience: authorization is often related to the specific > application domain. I agree insofar as 'authorisation' is often an exercise in making statements using semantics that are specific to application domains, but I don't believe it follows that the syntactical and transport elements (that support the semantic expression) also need to be specific to the application domain. > Furthermore, working on SIP SAML I noticed the problems when > you go down to specific solutions scenarios. Can you expand? > >(The fact that SAML-based Web SSO uses SAML that is bound to the > >application-layer is, I believe, only an artifact of a > requirement to > >avoid modifying contemporary Web browsers and I don't think it is an > >approach that would necessarily be desirable for the general case.) > > ... a reasonable transition plan, in my view. Sure. > The reason for the success of these IdM solutions, > particularly OpenID. (Well - OpenID has been a flop in my opinion. It has its uses, but not very interesting ones. But I digress...) > >Binding authorisation to TLS, as suggested by this document, is one > >approach that would satisfy the 'common mechanism' > >requirement indicated previously. > > Looking forward to see your solutions. I have no answers; I'm still trying to figure out what the questions are :-/ josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
- TLS WG Chair Comments on draft-ietf-tls-authz-07 Eric Rescorla
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Michael StJohns
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Powers Chuck-RXCP20
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Melinda Shore
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Tim Polk
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… SM
- TLS WG Chair Comments on draft-ietf-tls-authz-07 Eric Rescorla
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Hallam-Baker, Phillip
- Re: TLS WG Chair Comments on draft-ietf-tls-authz… Steven M. Bellovin
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Alfred Hönes
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Angelos D. Keromytis
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Melinda Shore
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Sam Hartman
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Peter Sylvester
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett
- RE: TLS WG Chair Comments on draft-ietf-tls-authz… Pasi.Eronen
- Re: [TLS] TLS WG Chair Comments on draft-ietf-tls… Melinda Shore
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Kemp, David P.
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Kemp, David P.
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Hannes Tschofenig
- RE: [TLS] TLS WG Chair Comments on draft-ietf-tls… Josh Howlett