Proposed bar BOF on federated authentication for non-web applications at IETF 77

Sam Hartman <> Sat, 13 February 2010 00:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EDAE828C165; Fri, 12 Feb 2010 16:32:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.665
X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_83=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jsWu9VOomE0K; Fri, 12 Feb 2010 16:32:48 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1D2273A7926; Fri, 12 Feb 2010 16:32:47 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS id D320B202C8; Fri, 12 Feb 2010 19:34:07 -0500 (EST)
Received: by (Postfix, from userid 8042) id E9C0643E8; Fri, 12 Feb 2010 19:34:00 -0500 (EST)
From: Sam Hartman <>
Subject: Proposed bar BOF on federated authentication for non-web applications at IETF 77
Date: Fri, 12 Feb 2010 19:34:00 -0500
Message-ID: <>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Feb 2010 00:32:50 -0000

I've been working with JaNet(UK) on providing a federation solution for
client applications such as mail readers, filesystem clients,
XMPP clients and the like.  There are fairly good solutions such as Open
ID, Information Card and SAML for web applications.  Within an
enterprise, you have Kerberos.  

JaNet(UK) runs one of the world's largest SAML federations.  As their
customers are beginning to take advantage of federated access for web
applications they are also asking how they can gain the same flexibility
for client-server applications.  This customer demand appears to have
traction across the entire European academic community.  I suspect that
it may find traction within enterprises and other environments.

We'd like to have a bar BOF at IETF 77 in California with a goal of an
actual BOF this summer in Europe at IETF 78.  We invite you to join our
mailing list at  where
we can discuss timing.

We plan to discuss the general problem and a proposed solution at the
bar BOF.  I've already prepared a feasibility analysis for JaNet(UK)'s
solution; the analysis does discuss the problem some, gives an outline
of the solution and discusses technical issues and required standards
work in detail.  By IETF we'll have a use case paper, an internet draft
on the solution,and a slide set.

we look forward to your input.  You can find a bit more detail on my
blog at 
You can find the feasibility analysis at


Sam Hartman
Painless Security