IETF Logo Mail Archive

Re: [pkix] Comments on draft-santesson-auth-context-extension-04

Denis Pinkas <denis.pinkas@bull.net> Mon, 11 March 2013 09:41 UTC

Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1433021F86A1 for <pkix@ietfa.amsl.com>; Mon, 11 Mar 2013 02:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.645
X-Spam-Level:
X-Spam-Status: No, score=-5.645 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rfUcQWyZlZQ for <pkix@ietfa.amsl.com>; Mon, 11 Mar 2013 02:41:45 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 382D021F8606 for <pkix@ietf.org>; Mon, 11 Mar 2013 02:41:45 -0700 (PDT)
Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 9F6411D2E7; Mon, 11 Mar 2013 10:41:44 +0100 (CET)
Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013031110414430-17934 ; Mon, 11 Mar 2013 10:41:44 +0100
Message-ID: <513DA6D4.2010208@bull.net>
Date: Mon, 11 Mar 2013 10:41:40 +0100
From: Denis Pinkas <denis.pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: mrex@sap.com
References: <20130308231824.595391A617@ld9781.wdf.sap.corp>
In-Reply-To: <20130308231824.595391A617@ld9781.wdf.sap.corp>
X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:41:44, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:41:44, Serialize complete at 11/03/2013 10:41:44
X-TNEFEvaluated: 1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Cc: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 09:41:46 -0000

Martin,

The problem is that we currently only have a static description for a 
mapping but no indication on how
a RP shall use the content of the extension, in particular when it is 
critical.

I have also difficulties to understand why this mapping information 
needs to be in the certificate since it will be in the audit trail of 
the CA anyway.

What is important is how the RP shall use that information and my 
understanding is still the following:
making sure the the certificate belongs to a person that has used a SAML 
token.

So it is much straightforward to include in the certificate information 
about the SAML token itself rather than
information on a mapping with the content of the DN which anyway is of 
no value for a RP because it cannot be verified.

If a document is targeted to informational, it is because it may be 
useful outside the community which has an original interest in it.

Denis

> Denis,
>
> While I have no personal interest or use in this proposal myself,
> I'm somewhat confused by your message.
>
> Denis Pinkas wrote:
>> Allowing to have SAML attributes in a PKC would be a very good thing.
>> However, the relying party DOES NOT care
>> how these SAML attributes have been translated into a subject DN. It is
>> the responsibility of the CA.
> Stefan said that he _has_ RPs who care.  Where is your problem with this?
>
>
>> Thus, if the scope only remains to know how the correspondence was made
>> between  the SAML attributes and
>> the subject DN, I don't believe that this document will be useful for
>> the Internet community and thus I am still unconvinced
>> that this document should progress as an Internet Draft.
> "progress as Internet Draft"?
> (I have not the slightest idea what that is.)
>
>  From the document header, Stefan seems to be looking for an Individual
> Submission with the intended document status "Informational".
>
> Were you thinking of a Standards track document?
> Or were you thinking about a WG work item (Last thing I heard was that
> PKIX is scheduled to shut down (as IETF WG) and not accepting any further
> work items).  Only the latter two would need any kind of "approval".
>
>
> Stefan's primary interest seems to be sharing information about what he
> does (or intends to do) with the IETF community.  And Stefan seems to
> solicit and accept feedback and suggestions from the PKIX community
> to make this work more useful to others.
>
>
>> If the scope is changed to allow to include SAML attributes as another
>> name form in a PKC, then this is
>> an important issue which deserves an Internet Draft.
> Stefan indicated that he needs this extension to convey information
> that does not qualify as SAN/otherName, so this feedback seems to be
> missing the point.
>
> If you have a need for this, you might have to create your own proposal/I-D
> to fit this purpose.
>
>
> -Martin

v2.23.0 | Report a Bug | By Email