Re: [proxies] [IETF Proxy] Next Steps

Stefan Winter <stefan.winter@restena.lu> Fri, 18 April 2008 07:11 UTC

Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFB373A68AB; Fri, 18 Apr 2008 00:11:42 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4AA03A6844 for <proxies@core3.amsl.com>; Fri, 18 Apr 2008 00:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQvH3grOd+4j for <proxies@core3.amsl.com>; Fri, 18 Apr 2008 00:11:40 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) by core3.amsl.com (Postfix) with ESMTP id 1BDBC3A690A for <proxies@ietf.org>; Fri, 18 Apr 2008 00:11:40 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 678E576F45; Fri, 18 Apr 2008 09:11:40 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTP id 5707176F43; Fri, 18 Apr 2008 09:11:40 +0200 (CEST)
From: Stefan Winter <stefan.winter@restena.lu>
Organization: Fondation RESTENA
To: Alan DeKok <aland@nitros9.org>
Date: Fri, 18 Apr 2008 09:11:35 +0200
User-Agent: KMail/1.9.6 (enterprise 20070904.708012)
References: <7.0.1.0.2.20080416172531.02401228@nist.gov> <200804171550.48931.stefan.winter@restena.lu> <480769A1.9080408@nitros9.org>
In-Reply-To: <480769A1.9080408@nitros9.org>
X-Face: %j?V+uSSM.S0%383/M#=_w?DsL5os9fxa%z-TN:))c[W7~6eK)=2ek5>=?utf-8?q?=5Ed+=3B=5Dk=2EwY4k1ve=0A=092=23=5EC=5EstMo*JDE=3FS2YkN=3At=7E?= =?utf-8?q?Vv=7D?=(exS~'/q+xqA<acFY(btkiR{eKogv`i=}e.q-> =?utf-8?q?KPf6=7E=5B=3B=0A=09=27=2EB=27=2EDkOdU6gj-r=23ei=7D=23d=60=3B?= =?utf-8?q?B=7C*8awL3HM-=5C=3DR?=>Z<(33?+#W+:Fy)TH&)Q({@ =?utf-8?q?ZBHm=26d8LZ=24=0A=09M/L!033=7CZlf7?=(=d<{]y!'$TmaI\276$)iMlA@A*ZA&q>W5"rsQ)FHGBp)<B6I`c8-M\N"" =?utf-8?q?=0A=09=3FQj!+=60YSi=3AXV7a7mZbH!Q=3FsCW?=)Mj_Vkm@*^Wzmv1qB%$+_@$[?I
MIME-Version: 1.0
Message-Id: <200804180911.39758.stefan.winter@restena.lu>
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1316107461=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

Hi,

> > So if a foreign eduroam user authenticates within Australia, the visited
> > domain needs to get information about the age of the user.
>
>   IANAL, but there are adults who are not legally responsible for their
> actions.  Requiring that the users be "legally responsible" may satisfy
> the constraint, while exposing minimal information.

I am very happy that I didn't have to dig into the gory details of the issue 
yet. My first shot at it is: if that adult isn't legally responsive for his 
actions, he's very likely not a member of the higher ed and research 
community, so the number of occurences in our constituency is very likely to 
be 0 :-)

> > Without proxies,
> > this would not be a problem: define a Vendor-Specific attribute and
> > communicate the value. With proxies, things are worse: the traffic will
> > be sent through intermediate proxy servers, which can then correlate the
> > information of the age to the user identity, and thus create personally
> > identifiable data sets.
>
>   It gets worse than that.  How does one end express a query that the
> other end can understand?  This involves defining a fairly complex
> policy language.  So far, all attempts to define a usable policy
> language have failed.

I guess it's not so important in the scope of this list, but here goes a short 
overview of something we made up to overcome these things.

First there is the SAML language that allows to query attributes about a user. 
It includes a user consent part (his "attribute release policy"). SAML 
entities can communicate their attribute payload without using proxies.

There is also a common schema for user attributes in the educational 
community: MACE's eduPerson schema, and a few extensions to that in SCHAC, 
the Schema for Academia. These are used to express user attributes in SAML. 
They are roughly unambiguous in their content.

The current approach in our labs is: use a RADIUS attribute to send a short 
SAML authentication artifact plus a URL of a responsible SAML 
attribute-source via the proxy chain from home domain to visited domain along 
with the RADIUS Accept.
Visited domain can use this opaque handle to request user attributes directly 
from the home domain's SAML attribute-source.
Of course, every proxy has access to the same artifact and URL. Here the 
user's attribute release policy is supposed to come to the rescue: he must 
have specified beforehand that the specific visited domain is allowed to ask 
for the attribute in question. Other proxies will not have the user's consent 
and don't get any attributes.

Needless to say: this is complicated. We have a prototype of this, but frankly 
I think it is best described with the words "weird" and "whacky". I don't see 
this going into production any time soon.

> > - proxies can intercept data they are not entitled for and abuse it
>
>   Yes.  Non-technical means exist to address this problem.

Certainly. Contractual bounds could be used. My personal preference would be 
to have an encryption channel between home and visited domain AAA servers 
(_not_ NASes) to eliminate the problem of paperwork at all, but I admit that 
this is almost impossible to do correct.

> > - Severity: that depends heavily on one's personal view on privacy and
> > confidentiality of personal data and its weight in today's world. I don't
> > want to make a blanket statement here.
>
>   The people I talk to indicate that they are more worried about users
> abusing the system than insiders.
>
>   e.g. wireless sniffers at a hotspot are a problem.  Malicious proxies
> aren't.

I'd like to remind that we had entertaining discussions about people being 
worried of proxies inserting faked accounting packets. I'm not sure to what 
extent operators care about that though. FWIW, our own community doesn't care 
so much: it's a free service. :-)

>   I do think we need a documentation explaining the possible
> architectures, the threats, requirements, and judged risks.

Certainly!

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter@restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies