Re: [KAML] Reminder: BOF proposals to me by October 1
"Tom Scavo" <trscavo@gmail.com> Fri, 16 November 2007 17:10 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1It4hj-0001QJ-RV; Fri, 16 Nov 2007 12:10:07 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1It4hi-0001K9-01 for kaml@ietf.org; Fri, 16 Nov 2007 12:10:06 -0500
Received: from fk-out-0910.google.com ([209.85.128.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1It4he-0005eZ-Il for kaml@ietf.org; Fri, 16 Nov 2007 12:10:05 -0500
Received: by fk-out-0910.google.com with SMTP id z23so947107fkz for <kaml@ietf.org>; Fri, 16 Nov 2007 09:10:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=LO+eM1HNcGnND0dWQvZ+CIG4vP40t2Dx0DIf6Z1NVbU=; b=BpIIkcQoli+TOoJPvanwxK9sSX6fUH0MruVHd6Y/TwCJl+xZXnpkZ7ADkHyi4EHhfp32y0ochU6dseqx2z21G617jr/pzObDnuNuz0KlChRqfwHWnU5BYb8cNLwpooSBuG4OYFxXa0PbiWKDgzdJmbUQCO4qslICDlmc9LAyrTs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lHQhEBLaR9a9oUArxv5ea9nwXeFYrRugdYO75dpUh+cP2Ivr6UMAo63ZdA/V//H7OaIFSXai7ligIGZpJBoBMIncV08FIAkrZFiPlpbDqoJsFmajfTwkfqeUyZP8e1UKdIxGKoBX6YmKy19B0dEX/8KvWzsotEj5jG1Fa22Mvtk=
Received: by 10.82.177.3 with SMTP id z3mr5714549bue.1195233000963; Fri, 16 Nov 2007 09:10:00 -0800 (PST)
Received: by 10.82.186.15 with HTTP; Fri, 16 Nov 2007 09:10:00 -0800 (PST)
Message-ID: <ea2af9bd0711160910u70ebb515m35de79fdad8ff606@mail.gmail.com>
Date: Fri, 16 Nov 2007 12:10:00 -0500
From: Tom Scavo <trscavo@gmail.com>
To: Josh Howlett <Josh.Howlett@ja.net>
Subject: Re: [KAML] Reminder: BOF proposals to me by October 1
In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <ea2af9bd0709251452y114ee29bs91fcfb6f490e6ffc@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc: kaml@ietf.org, Paul Rabinovich <Paul.Rabinovich@exostar.com>
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org
On Nov 15, 2007 4:40 AM, Josh Howlett <Josh.Howlett@ja.net> wrote: > > Tom Scavo wrote: > > On 9/25/07, Leif Johansson <leifj@it.su.se> wrote: > > > > > > There are at least two ways to model LoA using > > > SAML - using an AC class or using an attribute. > > > > That's correct. If you decide to use AuthnContext, that > > means the Kerberos-bound SAML assertion would contain an > > AuthnStatement. On the other hand, an Attribute would > > require an AttributeStatement. > > (Personally, I think AuthnContext is the way to go for LoA, > > but the jury's still out on that issue.) > > I don't think that it's desirable to prescribe either (1) what > constitutes an appropriate token for LoA or (2) that a token needs to be > bound directly to the ticket. The former *should* be a matter for local > policy, and the latter is not necessary. With regard to (1), I think you're missing the point, Josh. How the LoA is carried in the SAML assertion is a technical detail, not a matter of policy. An attribute is more general (because it works in both SAML V1.1 and V2.0) but SAML V2.0 AuthnContext is preferred (IMO) since it binds LoA to an AuthnStatement, which is conceptually correct. As far as (2) is concerned, you're right, passing additional security information by value is not strictly necessary. However, our own experience integrating SAML into X.509 has clearly shown that pushing SAML tokens by value is far easier to implement and deploy. Moreover, no new wire protocols are required to push X.509-bound SAML tokens. I suspect that the Kerberos use case will exhibit similar advantages. Tom Scavo NCSA _______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- [KAML] Reminder: BOF proposals to me by October 1 Sam Hartman
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- RE: [KAML] Reminder: BOF proposals to me by Octob… Paul Rabinovich
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Paul Rabinovich
- Re: [KAML] Reminder: BOF proposals to me by Octob… Henry B. Hotz
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett