RE: [KAML] Reminder: BOF proposals to me by October 1

"Josh Howlett" <Josh.Howlett@ja.net> Fri, 16 November 2007 22:55 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ItA5V-0004Hw-JA; Fri, 16 Nov 2007 17:55:01 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ItA5U-0004Hn-8z for kaml@ietf.org; Fri, 16 Nov 2007 17:55:00 -0500
Received: from umhost1.ukerna.ac.uk ([193.62.83.67]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ItA5T-0005et-Rv for kaml@ietf.org; Fri, 16 Nov 2007 17:55:00 -0500
Received: from har003676.ukerna.ac.uk ([194.82.140.75]) by umhost1.ukerna.ac.uk with esmtp (Exim 4.50) id 1ItA5M-0004iA-78; Fri, 16 Nov 2007 22:54:52 +0000
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 242A04A6B26; Fri, 16 Nov 2007 22:50:34 +0000 (GMT)
Received: from uxsrvr20.atlas.ukerna.ac.uk (uxsrvr20.ukerna.ac.uk [193.62.83.209]) by har003676.ukerna.ac.uk (Email Security Appliance) with ESMTP id 097944A6B21; Fri, 16 Nov 2007 22:50:28 +0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [KAML] Reminder: BOF proposals to me by October 1
Date: Fri, 16 Nov 2007 22:54:46 -0000
Message-ID: <6ED388AA006C454BA35B0098396B9BFB02E4CA80@uxsrvr20.atlas.ukerna.ac.uk>
In-Reply-To: <ea2af9bd0711160910u70ebb515m35de79fdad8ff606@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [KAML] Reminder: BOF proposals to me by October 1
Thread-Index: Acgoc8dNc9PoE61ARwW+CghvLi4mvgAK1O9Q
References: <ea2af9bd0709251452y114ee29bs91fcfb6f490e6ffc@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk> <ea2af9bd0711160910u70ebb515m35de79fdad8ff606@mail.gmail.com>
From: "Josh Howlett" <Josh.Howlett@ja.net>
To: "Tom Scavo" <trscavo@gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Cc: Josh Howlett <Josh.Howlett@ja.net>, kaml@ietf.org, Paul Rabinovich <Paul.Rabinovich@exostar.com>
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org

> > > That's correct.  If you decide to use AuthnContext, that 
> means the 
> > > Kerberos-bound SAML assertion would contain an 
> AuthnStatement.  On 
> > > the other hand, an Attribute would require an AttributeStatement.
> > > (Personally, I think AuthnContext is the way to go for 
> LoA, but the 
> > > jury's still out on that issue.)
> >
> > I don't think that it's desirable to prescribe either (1) what 
> > constitutes an appropriate token for LoA or (2) that a 
> token needs to 
> > be bound directly to the ticket. The former *should* be a 
> matter for 
> > local policy, and the latter is not necessary.
> 
> With regard to (1), I think you're missing the point, Josh.  
> How the LoA is carried in the SAML assertion is a technical 
> detail, not a matter of policy.

My point was that if the <LoA token> can be acquired post hoc then the
Relying Party can decide itself what is the necessary token(s), rather
than relying on the TGS to choose what it believes is appropriate. The
fire-and-forget approach does not provide room for agility.

I believe that what constitutes an appropriate <LoA token> depends on
what the Relying Party in question feels is necessary to satisfy their
policy, and so binding these semantics arbitrarily to the transport
protocol seems unnecessarily restrictive. Let them choose! AuthN
context, attribute or moon phase....

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml