MIME-Version: 1.0
In-Reply-To: <6B7C7317-467A-4809-ABA3-FF599332F18D@osu.edu>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com>
 <tsltws4ze6d.fsf@mit.edu>
 <20150812195437.2e03c0c8@latte.josefsson.org>
 <20150812183657.GG3654@localhost>
 <6B7C7317-467A-4809-ABA3-FF599332F18D@osu.edu>
Date: Sat, 15 Aug 2015 08:52:49 +0100
Message-ID: <CAPofZaF80pBKM6_9rtLvnOBzHJZ4boPFjpSPCHv0OLV5QMGjNg@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: "Cantor, Scott" <cantor.2@osu.edu>
Content-Type: multipart/alternative; boundary=001a11347b18d2cd98051d54da5f
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/XgpL0qa-tATxjZHFkj1tpZk2QHc>
Cc: Simon Josefsson <simon@josefsson.org>, "kitten@ietf.org" <kitten@ietf.org>,
 "saag@ietf.org" <saag@ietf.org>,
 "draft-ietf-kitten-sasl-saml-ec@tools.ietf.org"
 <draft-ietf-kitten-sasl-saml-ec@tools.ietf.org>,
 Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [saag] [kitten] SSH Protocol Extensions
Precedence: list

--001a11347b18d2cd98051d54da5f
Content-Type: text/plain; charset=UTF-8

Thanks to everyone for their input. I think my efforts would be better
directed at extending the SSH protocol to support SASL; although SASL/GSS
binding (RFC5801) is possible in some cases, it isn't always.

Is there an industry standard for SASL in C? I'm aware of
https://tools.ietf.org/html/draft-newman-sasl-c-api-03 from April 2004 and
the GSASL http://www.gnu.org/software/gsasl/ library, but am looking for a
standard mechanism where adding new SASL mechanisms is a case of adding a
run-time plugin (.so / .dll).

Phil Lello

On Thu, Aug 13, 2015 at 2:48 PM, Cantor, Scott <cantor.2@osu.edu> wrote:

> On 8/12/15, 2:37 PM, "Kitten on behalf of Nico Williams" <
> kitten-bounces@ietf.org on behalf of nico@cryptonector.com> wrote:
>
> >On Wed, Aug 12, 2015 at 07:54:37PM +0200, Simon Josefsson wrote:
> >> Or look into already published RFC 6616 for OpenID in SASL or RFC 6595
> >> on SAML in SASL.  SAML-EC avoids the web loop, and may indeed be more
> >> relevant depending on use-case.
> >
> >If Phil needs a SAML, one-message authentiation method with no proof of
> >possession, then a new SSHv2 userauth method is probably best (since the
> >GSS userauth method uses MIC tokens for channel binding).  Would the
> >SAML token be possible to bind to an SSHv2 session?  I would hope so.
>
> Except it's not defined how one would acquire the token, and that's not
> trivial to do properly. If SAML IdPs don't support the profile, then you're
> nowhere. That's the problem the saml-ec mechanism was attacking
> fundamentally, reuse of an appropriate SAML profile to do the job.
>
> -- Scott
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

--001a11347b18d2cd98051d54da5f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Thanks to everyone for their input. I think my e=
fforts would be better directed at extending the SSH protocol to support SA=
SL; although SASL/GSS binding (RFC5801) is possible in some cases, it isn&#=
39;t always.<br><br></div>Is there an industry standard for SASL in C? I=
9;m aware of <a href=3D"https://tools.ietf.org/html/draft-newman-sasl-c-api=
-03">https://tools.ietf.org/html/draft-newman-sasl-c-api-03</a> from April =
2004 and the GSASL <a href=3D"http://www.gnu.org/software/gsasl/">http://ww=
w.gnu.org/software/gsasl/</a> library, but am looking for a standard mechan=
ism where adding new SASL mechanisms is a case of adding a run-time plugin =
(.so / .dll).<br><br></div><div>Phil Lello<br></div></div><div class=3D"gma=
il_extra"><br><div class=3D"gmail_quote">On Thu, Aug 13, 2015 at 2:48 PM, C=
antor, Scott <span dir=3D"ltr">&lt;<a href=3D"mailto:cantor.2@osu.edu" targ=
et=3D"_blank">cantor.2@osu.edu</a>&gt;</span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex"><span class=3D"">On 8/12/15, 2:37 PM, &quot;Kitten on behalf =
of Nico Williams&quot; &lt;<a href=3D"mailto:kitten-bounces@ietf.org">kitte=
n-bounces@ietf.org</a> on behalf of <a href=3D"mailto:nico@cryptonector.com=
">nico@cryptonector.com</a>&gt; wrote:<br>
<br>
&gt;On Wed, Aug 12, 2015 at 07:54:37PM +0200, Simon Josefsson wrote:<br>
&gt;&gt; Or look into already published RFC 6616 for OpenID in SASL or RFC =
6595<br>
&gt;&gt; on SAML in SASL.=C2=A0 SAML-EC avoids the web loop, and may indeed=
 be more<br>
&gt;&gt; relevant depending on use-case.<br>
&gt;<br>
&gt;If Phil needs a SAML, one-message authentiation method with no proof of=
<br>
&gt;possession, then a new SSHv2 userauth method is probably best (since th=
e<br>
&gt;GSS userauth method uses MIC tokens for channel binding).=C2=A0 Would t=
he<br>
&gt;SAML token be possible to bind to an SSHv2 session?=C2=A0 I would hope =
so.<br>
<br>
</span>Except it&#39;s not defined how one would acquire the token, and tha=
t&#39;s not trivial to do properly. If SAML IdPs don&#39;t support the prof=
ile, then you&#39;re nowhere. That&#39;s the problem the saml-ec mechanism =
was attacking fundamentally, reuse of an appropriate SAML profile to do the=
 job.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
-- Scott<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
_______________________________________________<br>
saag mailing list<br>
<a href=3D"mailto:saag@ietf.org">saag@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/saag" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.ietf.org/mailman/listinfo/saag</a><br>
</div></div></blockquote></div><br></div>

--001a11347b18d2cd98051d54da5f--