Re: [plasma] Binary value encoding in AuthenticationTypeWSToken

"Jim Schaad" <jimsch@nwlink.com> Fri, 29 June 2012 02:52 UTC

Return-Path: <jimsch@nwlink.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF22C11E8116 for <plasma@ietfa.amsl.com>; Thu, 28 Jun 2012 19:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PsXBWH1GoTJ for <plasma@ietfa.amsl.com>; Thu, 28 Jun 2012 19:52:28 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4029011E8085 for <plasma@ietf.org>; Thu, 28 Jun 2012 19:52:28 -0700 (PDT)
Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 46AB52C9B7; Thu, 28 Jun 2012 19:52:27 -0700 (PDT)
From: "Jim Schaad" <jimsch@nwlink.com>
To: "'Dan Griffin'" <dan@jwsecure.com>, <plasma@ietf.org>
References: <B66E1F139A0F29418103E63A6124AC1C09FDFC0B@BY2PRD0511MB427.namprd05.prod.outlook.com> <018501cd54d9$3dae6c50$b90b44f0$@nwlink.com> <B66E1F139A0F29418103E63A6124AC1C09FE08F6@BY2PRD0511MB427.namprd05.prod.outlook.com>
In-Reply-To: <B66E1F139A0F29418103E63A6124AC1C09FE08F6@BY2PRD0511MB427.namprd05.prod.outlook.com>
Date: Thu, 28 Jun 2012 19:51:06 -0700
Message-ID: <020b01cd55a2$089e56f0$19db04d0$@nwlink.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_020C_01CD5567.5C4BDB00"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHyMd5/I3NLBHFDvMpYXySK4MLPhwGo45WOAdJ+TTqWqwK6oA==
Content-Language: en-us
Subject: Re: [plasma] Binary value encoding in AuthenticationTypeWSToken
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 02:52:30 -0000

Ok, the following response will not make you happy.  I suggest that you talk
to your employer about this issue.

 

1.        What kind of credential to get - That depends on what types of
credentials are used by your authentication framework.  The types of
credentials supported include SAML, X.509 certificates, GSS-API and WS-Trust
tokens.   There is no way for use to specify as single authentication method
as different companies use different methods.  Also we want to support some
very loose methods in non-company situations.

2.       Where/how to get it - That depends on what types of credentials are
used by your authentication framework.  You talk to plasma after you have
gotten credentials of some type, plasma does not tell you what type of
credentials you need, although it will tell you what attributes are needed
in the credentials (as part of the XACML response portion).

3.       What Plasma AuthenticationType type to map it to.  That depends on
what types of credentials are used by your authentication framework.  SAML
2.0 Assertions go into the SAML element (section 5.1.1), GSSAPI goes into
the GSSAPI element (section 5.1.4), X.509 certificates use the XML Digital
signature element (as might SAML if there is a holder of key statement)
(section 5.1.3).  Other types would go into locally defined Other (an
example would be SAML 1.0 Assertions) (external document - referenced from
section 5.1).

4.       How to do the encoding for that mapping.  That depends on what
types of credentials are used by your authentication framework.  See the
response to question 3.

 

 

Jim

 

 

 

From: Dan Griffin [mailto:dan@jwsecure.com] 
Sent: Thursday, June 28, 2012 4:16 PM
To: Jim Schaad; plasma@ietf.org
Subject: RE: [plasma] Binary value encoding in AuthenticationTypeWSToken

 

I'm referring to how the client authenticates to Plasma in the first place,
i.e. part of the work the client has to do before a single Plasma call is
made. The client will have to know:

 

1.       What kind of credential to get

2.       Where/how to get it

3.       What Plasma AuthenticationType type to map it to

4.       How to do the encoding for that mapping

 

The draft text doesn't appear to address #3 at all. How can you expect
interoperability? My first question remains unanswered. 

 

From: Jim Schaad [mailto:jimsch@nwlink.com] 
Sent: Wednesday, June 27, 2012 7:54 PM
To: Dan Griffin; plasma@ietf.org
Subject: RE: [plasma] Binary value encoding in AuthenticationTypeWSToken

 

Please let me know what text is unclear in the document.

 

This is A correct type  There is no ONE correct type of token to be
returned.  This is strictly a choice of the server.  The server can use an
XML based token, such as SAML or an ASN.1 based token, such as CMS or a
non-structured token, such as an index in a database.

 

There is no requirement in the document that the client understand the token
returned to the client.  In fact the requirement is just the opposite.  The
token is to be treated as an opaque blob by the client.  If data such as
lifetimes is to be returned they are returned as wst namespace attributes.

 

Jim

 

 

From: plasma-bounces@ietf.org [mailto:plasma-bounces@ietf.org] On Behalf Of
Dan Griffin
Sent: Wednesday, June 27, 2012 1:42 PM
To: plasma@ietf.org
Subject: [plasma] Binary value encoding in AuthenticationTypeWSToken

 

We're using AuthenticationTypeWSToken to transmit a SAML token - is that the
correct type?

 

If so, just wanted to clarify - the Value member of that type is a hex
binary string, which seems like an odd choice. Wouldn't XML make more sense?