[Ietf-krb-wg] Review of draft-sorce-krbwg-general-pac-02
Josh Howlett <Josh.Howlett@ja.net> Tue, 21 June 2011 12:13 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849F521F856E for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 21 Jun 2011 05:13:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5znh7SgWCi04 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 21 Jun 2011 05:13:31 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 532F921F856C for <krb-wg-archive@lists.ietf.org>; Tue, 21 Jun 2011 05:13:31 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 752134D; Tue, 21 Jun 2011 07:13:30 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 3990549; Tue, 21 Jun 2011 07:13:22 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 137A380E9A; Tue, 21 Jun 2011 07:13:22 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 9788D80E88 for <ietf-krb-wg@lists.anl.gov>; Tue, 21 Jun 2011 07:13:20 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 7AA3F7CC065; Tue, 21 Jun 2011 07:13:20 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04581-09; Tue, 21 Jun 2011 07:13:20 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 5532E7CC05F for <ietf-krb-wg@lists.anl.gov>; Tue, 21 Jun 2011 07:13:20 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqoDADWKAE7CUoxLgWdsb2JhbABUpm4UAQEWJh4HiHWgJp9ehioEoWw
X-IronPort-AV: E=Sophos;i="4.65,400,1304312400"; d="scan'208";a="62212888"
Received: from har003676.ukerna.ac.uk ([194.82.140.75]) by mailgateway.anl.gov with ESMTP; 21 Jun 2011 07:13:19 -0500
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id F32934A6B8C_E008ADBB for <ietf-krb-wg@lists.anl.gov>; Tue, 21 Jun 2011 12:13:15 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id C58CD4A6B39_E008ADBF for <ietf-krb-wg@lists.anl.gov>; Tue, 21 Jun 2011 12:13:15 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0289.001; Tue, 21 Jun 2011 13:12:44 +0100
From: Josh Howlett <Josh.Howlett@ja.net>
To: "ietf-krb-wg@lists.anl.gov" <ietf-krb-wg@lists.anl.gov>
Thread-Topic: Review of draft-sorce-krbwg-general-pac-02
Thread-Index: AQHMMAyG4NotbIg08EaueELzIpiRbg==
Date: Tue, 21 Jun 2011 12:12:43 +0000
Message-ID: <CA265779.21018%josh.howlett@ja.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
x-originating-ip: [194.82.140.76]
Content-ID: <9A62979F6694E7459615BBE72961B8F0@ukerna.ac.uk>
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] Review of draft-sorce-krbwg-general-pac-02
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
I took an action at the Prague meeting to review this document. 0. Attribute definition The document defines a set of attributes, and outlines an extensibility mechanism for incorporating other attributes. While the semantics associated with the attributes defined in section 4 seem entirely reasonable, I am curious why the authors chose to define a document-specific attribute schema rather than adopt the semantics from existing attribute schema (e.g. RFC 2307) where equivalent semantics may have already been defined. 1. Encoding The document specifies the use of ASN.1 encoding of attributes, on the basis that this is what Kerberos uses. As a general principle the choice of encoding should, IMO, be determined principally by the preferences of the parties expected to issue and consume the PAD. For the purposes of this document, I would expect those to be the KDC (issuer) and -- for modern usage of Kerberos -- the GSS acceptor (consumer). So, in the former case the choice of ASN.1 is reasonable. However, in the second case I would expect that application developers would prefer to use GSS-API naming extensions, rather than parse the PAD directly. Quoting draft-ietf-kitten-gssapi-naming-exts: "The goal is to make information modelled as "name attributes" available to applications. Such information MAY for instance be used by applications to make authorization-decisions. For example, Kerberos V authorization data elements, both in their raw forms, as well as mapped to more useful value types, can be made available to GSS-API applications through these interfaces." GSS naming extensions is encoding agnostic and so GSS implementations could in principle be extended to support the proposed PAD format, but in practice it may be more efficient to re-use encodings that GSS acceptor implementations already (or are likely to) support, such as SAML, rather than invent a new one. It is worth noting that the SAML Assertion element has the semantics described in section 5.1 ("PAD Format"); consequently, in principle a SAML attribute assertion could be used as the PAD payload. 2. Attribute semantics The use-case that motivates the document is authorisation in cross-realm scenarios. The document notes that there are some challenges with some of the proposed authorisation semantics in cross-realm scenario (e.g. identifier collisions), and that local manipulation of incoming attribute values may be necessary. In contemporary federated deployments, it is common to manage this manipulation explicitly by passing 'entitlement' values rather than explicit authorisations: the privileges associated with an entitlement are derived locally. I encourage the authors to consider the potential of attributes with entitlement semantics, and also entitlement values that may have general applicability. 3. Summary I recommend that the authors consider the use of SAML encoding for the PAD, and whether exposing these values through GSS-API naming extensions provides a better integration story for application developers. The authors should also consider whether section 4 could be re-factored to make greater use of existing attribute schema. In particular, it might be useful to consider the use of entitlements in addition to explicit authorisations. Hope this helps. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Review of draft-sorce-krbwg-general… Josh Howlett
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Josh Howlett
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Henry B. Hotz
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Martin Rex
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Sam Hartman
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Sam Hartman
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.