Re: [proxies] [IETF Proxy] Next Steps
Stefan Winter <stefan.winter@restena.lu> Fri, 18 April 2008 07:11 UTC
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFB373A68AB; Fri, 18 Apr 2008 00:11:42 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4AA03A6844 for <proxies@core3.amsl.com>; Fri, 18 Apr 2008 00:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQvH3grOd+4j for <proxies@core3.amsl.com>; Fri, 18 Apr 2008 00:11:40 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) by core3.amsl.com (Postfix) with ESMTP id 1BDBC3A690A for <proxies@ietf.org>; Fri, 18 Apr 2008 00:11:40 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 678E576F45; Fri, 18 Apr 2008 09:11:40 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTP id 5707176F43; Fri, 18 Apr 2008 09:11:40 +0200 (CEST)
From: Stefan Winter <stefan.winter@restena.lu>
Organization: Fondation RESTENA
To: Alan DeKok <aland@nitros9.org>
Date: Fri, 18 Apr 2008 09:11:35 +0200
User-Agent: KMail/1.9.6 (enterprise 20070904.708012)
References: <7.0.1.0.2.20080416172531.02401228@nist.gov> <200804171550.48931.stefan.winter@restena.lu> <480769A1.9080408@nitros9.org>
In-Reply-To: <480769A1.9080408@nitros9.org>
X-Face: %j?V+uSSM.S0%383/M#=_w?DsL5os9fxa%z-TN:))c[W7~6eK)=2ek5>^d+;]k.wY4k1ve
2#^C^stMo*JDE?S2YkN:t~Vv}(exS~'/q+xqA<acFY(btkiR{eKogv`i=}e.q-> KPf6~[;
'.B'.DkOdU6gj-r#ei}#d`;B|*8awL3HM-\=R>Z<(33?+#W+:Fy)TH&)Q({@ ZBHm&d8LZ$
M/L!033|Zlf7(=d<{]y!'$TmaI\276$)iMlA@A*ZA&q>W5"rsQ)FHGBp)<B6I`c8-M\N""
?Qj!+`YSi:XV7a7mZbH!Q?sCW)Mj_Vkm@*^Wzmv1qB%$+_@$[?I
MIME-Version: 1.0
Message-Id: <200804180911.39758.stefan.winter@restena.lu>
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1316107461=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org
Hi, > > So if a foreign eduroam user authenticates within Australia, the visited > > domain needs to get information about the age of the user. > > IANAL, but there are adults who are not legally responsible for their > actions. Requiring that the users be "legally responsible" may satisfy > the constraint, while exposing minimal information. I am very happy that I didn't have to dig into the gory details of the issue yet. My first shot at it is: if that adult isn't legally responsive for his actions, he's very likely not a member of the higher ed and research community, so the number of occurences in our constituency is very likely to be 0 :-) > > Without proxies, > > this would not be a problem: define a Vendor-Specific attribute and > > communicate the value. With proxies, things are worse: the traffic will > > be sent through intermediate proxy servers, which can then correlate the > > information of the age to the user identity, and thus create personally > > identifiable data sets. > > It gets worse than that. How does one end express a query that the > other end can understand? This involves defining a fairly complex > policy language. So far, all attempts to define a usable policy > language have failed. I guess it's not so important in the scope of this list, but here goes a short overview of something we made up to overcome these things. First there is the SAML language that allows to query attributes about a user. It includes a user consent part (his "attribute release policy"). SAML entities can communicate their attribute payload without using proxies. There is also a common schema for user attributes in the educational community: MACE's eduPerson schema, and a few extensions to that in SCHAC, the Schema for Academia. These are used to express user attributes in SAML. They are roughly unambiguous in their content. The current approach in our labs is: use a RADIUS attribute to send a short SAML authentication artifact plus a URL of a responsible SAML attribute-source via the proxy chain from home domain to visited domain along with the RADIUS Accept. Visited domain can use this opaque handle to request user attributes directly from the home domain's SAML attribute-source. Of course, every proxy has access to the same artifact and URL. Here the user's attribute release policy is supposed to come to the rescue: he must have specified beforehand that the specific visited domain is allowed to ask for the attribute in question. Other proxies will not have the user's consent and don't get any attributes. Needless to say: this is complicated. We have a prototype of this, but frankly I think it is best described with the words "weird" and "whacky". I don't see this going into production any time soon. > > - proxies can intercept data they are not entitled for and abuse it > > Yes. Non-technical means exist to address this problem. Certainly. Contractual bounds could be used. My personal preference would be to have an encryption channel between home and visited domain AAA servers (_not_ NASes) to eliminate the problem of paperwork at all, but I admit that this is almost impossible to do correct. > > - Severity: that depends heavily on one's personal view on privacy and > > confidentiality of personal data and its weight in today's world. I don't > > want to make a blanket statement here. > > The people I talk to indicate that they are more worried about users > abusing the system than insiders. > > e.g. wireless sniffers at a hotspot are a problem. Malicious proxies > aren't. I'd like to remind that we had entertaining discussions about people being worried of proxies inserting faked accounting packets. I'm not sure to what extent operators care about that though. FWIW, our own community doesn't care so much: it's a free service. :-) > I do think we need a documentation explaining the possible > architectures, the threats, requirements, and judged risks. Certainly! Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
_______________________________________________ Proxies mailing list Proxies@ietf.org https://www.ietf.org/mailman/listinfo/proxies
- [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Bernard Aboba
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga