IETF Logo Mail Archive

Re: [kitten] [saag] SSH Protocol Extensions

"Cantor, Scott" <cantor.2@osu.edu> Thu, 13 August 2015 13:49 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 368F61AC3CB; Thu, 13 Aug 2015 06:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpwEO5Bjwf1z; Thu, 13 Aug 2015 06:49:49 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0775.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::775]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F2ED1A906F; Thu, 13 Aug 2015 06:49:12 -0700 (PDT)
Received: from BN1AFFO11FD005.protection.gbl (10.58.52.30) by BN1AFFO11HUB026.protection.gbl (10.58.52.136) with Microsoft SMTP Server (TLS) id 15.1.243.9; Thu, 13 Aug 2015 13:48:48 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.222) smtp.mailfrom=osu.edu; cryptonector.com; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.222 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.222; helo=cio-tnc-pf08.osuad.osu.edu;
Received: from cio-tnc-pf08.osuad.osu.edu (164.107.81.222) by BN1AFFO11FD005.mail.protection.outlook.com (10.58.52.65) with Microsoft SMTP Server (TLS) id 15.1.243.9 via Frontend Transport; Thu, 13 Aug 2015 13:48:47 +0000
Received: from CIO-KRC-HT04.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-tnc-pf08.osuad.osu.edu (Postfix) with ESMTPS id 149672E007E; Thu, 13 Aug 2015 09:48:47 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT04.osuad.osu.edu ([fe80::2d93:5c00:ad4e:861d%10]) with mapi id 14.03.0224.002; Thu, 13 Aug 2015 09:48:45 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Nico Williams <nico@cryptonector.com>, Simon Josefsson <simon@josefsson.org>
Thread-Topic: [kitten] [saag] SSH Protocol Extensions
Thread-Index: AQHQ1RiM4EkCc0B71keQikYW9uIlvp4I6MWAgAAL2ICAAP68AA==
Date: Thu, 13 Aug 2015 13:48:45 +0000
Message-ID: <6B7C7317-467A-4809-ABA3-FF599332F18D@osu.edu>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <tsltws4ze6d.fsf@mit.edu> <20150812195437.2e03c0c8@latte.josefsson.org> <20150812183657.GG3654@localhost>
In-Reply-To: <20150812183657.GG3654@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [140.254.59.150]
Content-Type: text/plain; charset="utf-8"
Content-ID: <7DA4AB04CCA61841BA0289A1113B4504@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD005; 1:29duy2tHuAbbNOLx9IL3pDgFXjy9imqJyEJ8Dr4SUoBF+x3b4PX4aMSLEeSfYXINAPqREaVOASmTZTEf3R3as26dIwMLZAjsBCQuA9OEXKwKe5YJngyhrquSEqIWTucPU4TAfF43x6UZUaP4uLMRzdbCNbnOPpYd13h6IPedGcyfnr3Qy2H/9n3QQIda1kZVyuNhhwhpF5E5EpclJPWE5bdcBj90QKAzPn52exkFh44jgxOULe2f7c83icXqYKDqzdQecoj2Xc9RNHmgsEh9JNCNKsapBqSwmydoT810q8iNK5aXrwer5R9AaC7qrtrA04UZp63YhFtlvLwY19JvyUqtCqfWpe274C3BCOFrkvo=
X-Forefront-Antispam-Report: CIP:164.107.81.222; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(3050300001)(377454003)(189002)(479174004)(199003)(24454002)(2656002)(50986999)(87936001)(36756003)(89122001)(90282001)(109096001)(76176999)(106466001)(50466002)(46102003)(75432002)(5250100002)(23676002)(2950100001)(5001770100001)(88552001)(2900100001)(5001860100001)(19580405001)(6806004)(93886004)(5001830100001)(5001920100001)(33656002)(4001540100001)(5003600100002)(19580395003)(66066001)(82746002)(83716003)(102836002)(54356999)(189998001)(64706001)(77156002)(62966003)(93346002)(106116001)(86362001)(47776003)(92566002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1AFFO11HUB026; H:cio-tnc-pf08.osuad.osu.edu; FPR:; SPF:Pass; PTR:cio-tnc-pf08.osuad.osu.edu; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB026; 2:U8F3ox6W9nBVWzUpHoMoUYVsqz1dfTSWjslya6ZP2x42+jxftxilJ9UDoWLOyzV3XtEw6n+i2Rb2t8Oy/JkGpugWdyUteKlkqqAzznOPWfnkPCNsPNS6sO6rixPVkpp8YUWa3XKHpSc4nf9aCcW3bO5uu/P2J8r6Nc5BPL5ybnA=; 3:z60m4yTVmHUs+5v0VKHZs+R4DILaY/1h1SWiox2s+Cd9V9Ss5YSZ4c1aeJokje+UkElquxn0RpiBr3vKLdqEBbNBgfZaHhNKSFObZznBMIV5Vs+/YLlb5SOHeRfSOch7eJSZwKx2bUpjorB4tlpcnQhUmTGRhT9V91FmZc0UyxxCugSh/i7WcBec2WN6B8/F7++p4OYz36Fvzs+9pLZ7nH8/MlxzhIy2+KEb1fTZd+MXH7Nz39oEuBhT4csd4AqP; 25:YWn++M45vvdUwuASC77DZRvQXb3IHKGCdEkQXLxGzw3iFcOrsrJez+vz1ZsFSGO0ir8ypasUzVQSwZMosIKNBmWA3TnXTJ97zbH3xZsIrAUOQ8luGrVYDIz/ExJSZ/PRgCsa89l97OpioxHPLjBq9W8PGQW5dKSBHI5Zba4f/Kzxj9UYVL7r8ZJb8QJScfhGREYpyDxU7vl5t1W8zLj59mO2hhP0wsnEa69QqUnxbh9AwaPmhmLHjmwT1CumiTW08zF9TVOJSdbJ9UOePFVXLw==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1AFFO11HUB026;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB026; 20:JFpVlxrPYlF2NrDoLwqDq9UxIf2omy61WUr88Zq+aLaAnpDt88CRKu33FMucV/miXQuSz0woaAyiNDGQNoOtenLBTD9p02VaDDghdjLCal2RmY+WGMH7u9gIjFDn0QF3zoCSyveyBWBc3bZECmDjKLGA1ENPJ+HQEcyJSoWqk1ZgHpd+FqblWz5EQ27Se2hBAFUaBaEuWBsEpcsefODvX/O3weHQM0aMoVF20CSZ+VbiLT1Fa4VxWEr/Qlb5U9ljQPzY5r0/e8EvBXZ7u6unTQbriNVi7ysEhHuGJsgB39D3xDRValhZPBnw5d10sTr5aBAXzzs0mHU2G11MBCUhUJKoN40oN8bqh5wLyCldpGJG0H9ZZifSqJCAGfWTM7r4P2Tfs1RpbFU70rF10m/oQnlZYahfu+i7xaMnCsheo2Rwj+8XmVQJsBpGMwe5uGzet82CMwb6eyae6KYSE7pBULNoNAPrM54Z6kFo1CPs6Qu9j7tt1jfBhuy/A8ejnHCt; 4:N+Yy5cJU6Sn96/heE0OlKJYa6Ymgz9Kg55vJBnEg1ptNjQ82Cc6yzdy/ce3exxeViOQeZu5bH96Z1esGWkwv1xHAeegw0Nn2BT8bboMEUY/iyzt/lSFZrZSDIMEvhkTOt3ZrYz4F+uV5fuk/jBnkyx6o142AmuwhUbjQU3VwYLzMZrtZzWhT52PRGJts/qbda6BBdNROCQfDPavDSSMl/JbI5GvBPTpjuCjTDukkD5nt6QXPEhiVIs7jkp8OvcT1N7BNgFOU7iuozslz9qfcDWDysJrKNaib1uEi9NmiquY=
X-Microsoft-Antispam-PRVS: <BN1AFFO11HUB026B837F25754C1A004E79DD07D0@BN1AFFO11HUB026.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BN1AFFO11HUB026; BCL:0; PCL:0; RULEID:; SRVR:BN1AFFO11HUB026;
X-Forefront-PRVS: 0667289FF8
X-Microsoft-Exchange-Diagnostics: 1;BN1AFFO11HUB026;23:HEI78/pbaM+ybSZoIjsAa1xpZocesFEDZoP3l5dzEZ3QQIbGFhZ7QWDUFkxAEjFI9n/YU6W6L1oTDX7I38Ie7WRxqJNwTTedAsq5+UmeHY4zqr3iZB6Q5uC7XdtrUaIHRjsx4qt/Rz01V6z52NsiBujyhtFKFKkVru1zE/XAVgcczo40dBsEncrlQUtXF1xbeRsIQPHUgTCwWe+2xNlt935z42mSIHHX+ZxmlkKra45ckqosBq12IAahqKJ5YpQYe2SbU/DmOG4AcWI3HHRN7erkTIxgVERetD4BvcJc8bLy6tf8GZsPI/XWaBVnM4YML15S9/XUd9RF0Qr21YjwdgYErD7sbbhU61D1Tl5bMGHKRYw1cF/OAZF8Y5QHQmyMAIEVKNAa9phgSfEP6IO27zSTO05udFv4JdHKFsth3rBWLUG0UMT4k8bm7t/4zCGaIyMrN3sDvDga/W0PYO6WBJLEXDRJKTQqTDTxfkR4xmaPDPxZ0ltRcyDH7t9YbufWwt3Zme0CVlu9hSyCukF/THUIKXHnBillhAySpEuIyIIZcfF8W8jvtTZYNITTHefP9NRRmy0EtdUhRos3NzUkl/CWIsPQxEoRsQTyD77VAxifhkRmlpCE7NTX2AOtZwn+xk3iSKasuSLM9B/X8unD+vU2XJwTwjLeVpa7ZFU/QsjLu39tYVISAsn65We7pPpViOvorw06Rl+Nr7EJAiEPoxzHsk8s+3UktArNnr2QImQTEVjd/KGkh8DBNH5n7UFcokBr6eFrcDMswEJ9U8TpOpF0yhemTMGwq1A7xnbj16xVw3e3JABWt4WD52LKUMNIVEtnVzfZkwBzAYO3EAdZPlOBXPo8B31zLHqrjtmf/fDxYpqpQLtDUyJKEu7pSIHID1NnMYMs29NMaYDs4e5F/FcKwjZlPSS3+RfXBstlqND2+GvokJOkJhJoUYhtySQV54Ghua/S30pzrzLks0OxsC/f8XhQRkn3jI3nQOVJJee+dg0/PXA2ittZmd0RBm+6GBAh24UuyrQFM3ZBb/WX2bioL/9Nklrww6SXlOOpLuhddCxQ+Al9c7ksxM7AxwrBEDt0QeGDqNKCH0aVxhjL3OoAKGrEcTUFoEiI3W8HnJ2JCFUrVJ+/KH11Vi0s1FZkvBuYsYQrG5vozcJLX/fBPa5mWcAqA4AXmG2XHeRlfkE2OrAsL4ln+gy7VIumpuafDamyZkwlLS+878rE6KNhzonsvew5l87t2HpDBvZvhDBRCuF70FZTA71raMk5xkDvze922CVF38Kp0HitokO+oJqr8hnFrx/PQ/Wov+gnY1dZzMzi6zHnu8n7uYgyoYO2a3HBm90xLJ6FFqrFAWzRz+Y5lkXrrcSZBxxd1M6uQdU=
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB026; 5:aatwZOdSzvfV2Ygeg4ez768RAmE/I0i+70ijOg7ofwC9/eeJE7WoLg5Cr+V6KBD1S6KibIu0rLCdkPoPsF93F95GX5eJwe1vqv1QTEWeOk2UqlDWaQsE+iBBOKNmbkGXNBm361/za1/84BE1WqCvVw==; 24:l6bmfuV3ZU7/PPuOaa8qBqSAnYW7xDyJx1cRiOlbgnpSgSV2A7uMSNNfBNtq4tQXRn72gZnxj5YUjy224ravsWH3ba4aoJfCBWwtuUWC2ZI=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Aug 2015 13:48:47.7872 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.222]; Helo=[cio-tnc-pf08.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1AFFO11HUB026
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/yTK0q0nwxDtRMnZvB_a5nmJxq9g>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Sam Hartman <hartmans-ietf@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "draft-ietf-kitten-sasl-saml-ec@tools.ietf.org" <draft-ietf-kitten-sasl-saml-ec@tools.ietf.org>
Subject: Re: [kitten] [saag] SSH Protocol Extensions
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 13:49:52 -0000

On 8/12/15, 2:37 PM, "Kitten on behalf of Nico Williams" <kitten-bounces@ietf.org on behalf of nico@cryptonector.com> wrote:

>On Wed, Aug 12, 2015 at 07:54:37PM +0200, Simon Josefsson wrote:
>> Or look into already published RFC 6616 for OpenID in SASL or RFC 6595
>> on SAML in SASL.  SAML-EC avoids the web loop, and may indeed be more
>> relevant depending on use-case.
>
>If Phil needs a SAML, one-message authentiation method with no proof of
>possession, then a new SSHv2 userauth method is probably best (since the
>GSS userauth method uses MIC tokens for channel binding).  Would the
>SAML token be possible to bind to an SSHv2 session?  I would hope so.

Except it's not defined how one would acquire the token, and that's not trivial to do properly. If SAML IdPs don't support the profile, then you're nowhere. That's the problem the saml-ec mechanism was attacking fundamentally, reuse of an appropriate SAML profile to do the job.

-- Scott

v2.23.0 | Report a Bug | By Email