Re: [KAML] Reminder: BOF proposals to me by October 1

"Tom Scavo" <trscavo@gmail.com> Fri, 16 November 2007 17:10 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1It4hj-0001QJ-RV; Fri, 16 Nov 2007 12:10:07 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1It4hi-0001K9-01 for kaml@ietf.org; Fri, 16 Nov 2007 12:10:06 -0500
Received: from fk-out-0910.google.com ([209.85.128.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1It4he-0005eZ-Il for kaml@ietf.org; Fri, 16 Nov 2007 12:10:05 -0500
Received: by fk-out-0910.google.com with SMTP id z23so947107fkz for <kaml@ietf.org>; Fri, 16 Nov 2007 09:10:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=LO+eM1HNcGnND0dWQvZ+CIG4vP40t2Dx0DIf6Z1NVbU=; b=BpIIkcQoli+TOoJPvanwxK9sSX6fUH0MruVHd6Y/TwCJl+xZXnpkZ7ADkHyi4EHhfp32y0ochU6dseqx2z21G617jr/pzObDnuNuz0KlChRqfwHWnU5BYb8cNLwpooSBuG4OYFxXa0PbiWKDgzdJmbUQCO4qslICDlmc9LAyrTs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lHQhEBLaR9a9oUArxv5ea9nwXeFYrRugdYO75dpUh+cP2Ivr6UMAo63ZdA/V//H7OaIFSXai7ligIGZpJBoBMIncV08FIAkrZFiPlpbDqoJsFmajfTwkfqeUyZP8e1UKdIxGKoBX6YmKy19B0dEX/8KvWzsotEj5jG1Fa22Mvtk=
Received: by 10.82.177.3 with SMTP id z3mr5714549bue.1195233000963; Fri, 16 Nov 2007 09:10:00 -0800 (PST)
Received: by 10.82.186.15 with HTTP; Fri, 16 Nov 2007 09:10:00 -0800 (PST)
Message-ID: <ea2af9bd0711160910u70ebb515m35de79fdad8ff606@mail.gmail.com>
Date: Fri, 16 Nov 2007 12:10:00 -0500
From: "Tom Scavo" <trscavo@gmail.com>
To: "Josh Howlett" <Josh.Howlett@ja.net>
Subject: Re: [KAML] Reminder: BOF proposals to me by October 1
In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <ea2af9bd0709251452y114ee29bs91fcfb6f490e6ffc@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc: kaml@ietf.org, Paul Rabinovich <Paul.Rabinovich@exostar.com>
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org

On Nov 15, 2007 4:40 AM, Josh Howlett <Josh.Howlett@ja.net> wrote:
>
> Tom Scavo wrote:
> > On 9/25/07, Leif Johansson <leifj@it.su.se> wrote:
> > >
> > > There are at least two ways to model LoA using
> > > SAML - using an AC class or using an attribute.
> >
> > That's correct.  If you decide to use AuthnContext, that
> > means the Kerberos-bound SAML assertion would contain an
> > AuthnStatement.  On the other hand, an Attribute would
> > require an AttributeStatement.
> > (Personally, I think AuthnContext is the way to go for LoA,
> > but the jury's still out on that issue.)
>
> I don't think that it's desirable to prescribe either (1) what
> constitutes an appropriate token for LoA or (2) that a token needs to be
> bound directly to the ticket. The former *should* be a matter for local
> policy, and the latter is not necessary.

With regard to (1), I think you're missing the point, Josh.  How the
LoA is carried in the SAML assertion is a technical detail, not a
matter of policy.  An attribute is more general (because it works in
both SAML V1.1 and V2.0) but SAML V2.0 AuthnContext is preferred (IMO)
since it binds LoA to an AuthnStatement, which is conceptually
correct.

As far as (2) is concerned, you're right, passing additional security
information by value is not strictly necessary.  However, our own
experience integrating SAML into X.509 has clearly shown that pushing
SAML tokens by value is far easier to implement and deploy.  Moreover,
no new wire protocols are required to push X.509-bound SAML tokens.  I
suspect that the Kerberos use case will exhibit similar advantages.

Tom Scavo
NCSA

_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml