IETF Logo Mail Archive

Re: [sacm] Authentication and Authorization for Content Repository

Luis Nunez <lnunez@c3isecurity.com> Tue, 06 November 2012 14:18 UTC

Return-Path: <lnunez@c3isecurity.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B93421F8685 for <sacm@ietfa.amsl.com>; Tue, 6 Nov 2012 06:18:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0CMKe6Ge4NL for <sacm@ietfa.amsl.com>; Tue, 6 Nov 2012 06:18:26 -0800 (PST)
Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9D14821F81FE for <sacm@ietf.org>; Tue, 6 Nov 2012 06:18:26 -0800 (PST)
Received: by mail-gg0-f172.google.com with SMTP id i4so70641ggn.31 for <sacm@ietf.org>; Tue, 06 Nov 2012 06:18:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=28uc9wIDsr4OIsSnR2DLVKxy79SZ69m0rbd13q1hCZ4=; b=GjyIOWNvLAcp3kxeq2sSohdRUjk3jpegAhkO5QPhFnY80G/ekiTfxXZlsDiyLwRicu PLYLE2EydQ6fno4rnOXe2NbmNDb1Jn8TBnrOTP0S0ZG7brCqZnDns8C95v7SfR/AHO9c Ze2PTVYV+/g2pHX2r/ss+Jb+MxyACwdhNISCnnrTV4LkHM7TLh9PtYaQu867Pvps6OGn zq6kbyzgjAqH2AyQoSaBum/rr6I6aPweNA289RgX+vqneMOMaqHbbeuVvQbCajlCEzSb 19219I7Fb8xgMtcZaJpvXE/nhJNHklFRzsFwAzUg9uYco38buvjUf+hL82edHy3DtxRp sSBw==
Received: by 10.236.134.18 with SMTP id r18mr1130946yhi.45.1352211506141; Tue, 06 Nov 2012 06:18:26 -0800 (PST)
Received: from [192.168.1.27] (cpe-066-057-081-254.nc.res.rr.com. [66.57.81.254]) by mx.google.com with ESMTPS id u21sm2113460yhl.6.2012.11.06.06.18.25 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 06 Nov 2012 06:18:25 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D186563A-98EB-4240-A633-338FB04C4333"
From: Luis Nunez <lnunez@c3isecurity.com>
In-Reply-To: <5099192C.7000107@joval.org>
Date: Tue, 06 Nov 2012 09:18:24 -0500
Message-Id: <D8862CEF-6B49-4104-8F30-5F99BB75DBF7@c3isecurity.com>
References: <00ff01cdbc24$f524da10$df6e8e30$@secpod.com> <5099192C.7000107@joval.org>
To: David Solin <david@joval.org>
X-Mailer: Apple Mail (2.1283)
X-Gm-Message-State: ALoCoQlTPn2fio+GIcVA1kfT4OquDt81yAhL7Y3+GWp+/+9elkuTnKHbPrqtk6lt4wTC65MwUpoU
Cc: bchandra@secpod.com, sacm@ietf.org
Subject: Re: [sacm] Authentication and Authorization for Content Repository
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sacm>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 14:18:27 -0000

initial thoughts are to look at the Resource Oriented Lightweight Indicator Exchange draft:
http://tools.ietf.org/html/draft-field-mile-rolie-00 
Rolie is on the MILE agenda we should review.

We may also want to look at the what the kitten working group is doing in this area 
 https://datatracker.ietf.org/doc/charter-ietf-kitten/


-ln


On Nov 6, 2012, at 9:05 AM, David Solin wrote:

> Hi Chandra,
> 
> Authentication and authorization should be handled exclusively at the HTTP/(S) layer.  This would allow for Basic, Digest, NTLM, Kerberos, SSL certs, SAML, etc. -- whatever it is that the repository specifies.  (Incidentally, the standard practice for a web server to use client certificates for authorization purposes is to implement a certificate mapping).
> 
> So, I see no reason why use of SAML should be required by the specification; it should be completely agnostic in this regard.
> 
> Regards,
> --David Solin
> 
> On 11/6/2012 7:45 AM, Chandrashekhar B wrote:
>> There were some discussion on this topic earlier and it was somewhat concluded that authorization and access control should not be part of the standardization effort, as it brings-in complexity. As an effort to make SCAP Repo’s web service authentication and authorization seamless and support subscription services, we took up an exercise to think through various options.
>>  
>> We currently have User ID and Password based mechanism, which will not work in an automated environment.
>> SSL mutual certificate based authentication is another option but, brings its own complexity and there are no authorization statements in a standard certificate.
>>  
>> After looking at few other non-standard option, we thought SAML authorization assertion is the way to go and it binds well to the enterprise SSO implementations. So, keeping the IDP and token issuance out of scope from the standardization point of view, we can ask the repository <-> repository or client <- > repository interactions come with SAML authorization token. SAML token can be sent part of the HTTP Authorization Header (compressed), which fits well with the RESTful web service model.
>>  
>> Any thoughts on this?
>>  
>> Thanks,
>> Chandra.
>> 
>> 
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
> 
> 
> -- 
> jOVAL.org: SCAP Simplified.
> Learn More | Features | Download
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email