Summary of Federated Authentication BOF at IETF 77
Sam Hartman <hartmans-ietf@mit.edu> Fri, 14 May 2010 19:21 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34C6E28C160; Fri, 14 May 2010 12:21:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.285
X-Spam-Level:
X-Spam-Status: No, score=-0.285 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2cThnTUVrei; Fri, 14 May 2010 12:21:03 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 9D9F03A6BFE; Fri, 14 May 2010 12:19:45 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 76B7B20239; Fri, 14 May 2010 15:19:36 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8E89F43EE; Fri, 14 May 2010 15:19:34 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: saag@mit.edu
Subject: Summary of Federated Authentication BOF at IETF 77
Date: Fri, 14 May 2010 15:19:34 -0400
Message-ID: <tslbpciqojd.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, emu@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2010 19:21:04 -0000
I'm told there were around 30 people in the room. That seemed like a good turn out for Thursday at 9 PM. Many of the participants had already read some or all of the proposed documents. I presented a problem statement based on providing federated authentication for non-web applications. Two solutions were presented. I presented work on Moonshot, a technology that combines EAP, GSS-API, RADIUS and SAML to solve the problem. Eliot Lear and Klaas Wierenga presented a simpler solution that uses browser-based SAML and Open ID. The sense of the room was that these solutions compliment each other. Moonshot requires more infrastructure and client configuration but provides several advantages. The browser-based solutions are something that requires fewer client changes. Volunteers were collected from the EAP, GSS and RADIUS communities who would be interested in working on these problems. Some of the work discussed, possibly especially including the Open ID and SAML browser-based solutions may be able to progress in kitten. I and I believe several of the other Moonshot proponents would prefer to focus the Moonshot work in one working group. Other solutions could also be progressed in that group, although we should be careful not to slow down work that could progress quickly in kitten by moving it into an as-yet-unchartered group. There seemed to be strong support for going forward. However, several things to address in a BOF were raised with regard to the Moonshot work. * Steve Bellovin pointed out that we need to be very aware of the operational impact and how this fits with the operational model of the technologies that are used/extended. * Klaas pointed out that Moonshot involves changes to a lot of different components. We need to make sure that there are incremental advantages to each of these changes so they will be deployed: a system where there is no benefit until the end when all the peaces fall together is much harder to deploy. * Klaas pointed out that we need to consider the operational security around how RADIUS federations are deployed. If network access is not considered sensitive today, people may be more lax in the security surrounding their RADIUS infrastructure. If we use that infrastructure to secure more sensitive resources we need to have practices that tighten up the security of the infrastructure sufficiently. * Someone brought up that this is another one of those authentication proposals where user-interface is critical. While we should not lay out dialogues in the IETF, we're going to need to describe the usability aspects of this enough to increase the probability of a good security solution. People specifically asked to look at the following: * Complexity * What can't be handled with simpler solutions * Is Moonshot broad enough in scope? * The UI questions Since the bar BOF, there has been a lot of traffic on the list and work continues. We're definitely going to put together a BOF request for IETF 78.