Re: [SECMECH] AAA requirement for middleware

Josh Howlett <josh.howlett@bristol.ac.uk> Mon, 27 June 2005 16:00 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dmw2D-00004q-7E; Mon, 27 Jun 2005 12:00:33 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dmw2B-0008WO-NX for secmech@megatron.ietf.org; Mon, 27 Jun 2005 12:00:31 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05782 for <secmech@ietf.org>; Mon, 27 Jun 2005 12:00:28 -0400 (EDT)
Received: from dirg.bris.ac.uk ([137.222.10.102]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DmwRL-0000Ie-OR for secmech@ietf.org; Mon, 27 Jun 2005 12:26:33 -0400
Received: from seis.bris.ac.uk ([137.222.10.93]) by dirg.bris.ac.uk with esmtp (Exim 4.51) id 1Dmw1u-0000Mj-OC; Mon, 27 Jun 2005 17:00:21 +0100
Received: from cumulus.cse.bris.ac.uk ([137.222.12.162]) by seis.bris.ac.uk with esmtp (Exim 4.51) id 1Dmvzm-0004nU-7U; Mon, 27 Jun 2005 16:58:08 +0100
Date: Mon, 27 Jun 2005 16:58:01 +0100
From: Josh Howlett <josh.howlett@bristol.ac.uk>
To: Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [SECMECH] AAA requirement for middleware
Message-ID: <85DDD0E2BB4C365651CDCDF8@cumulus>
In-Reply-To: <tslfyv3ltrz.fsf@cz.mit.edu>
References: <Pine.GSO.4.44.0506232014570.2267-100000@shark.cse.bris.ac.uk> <tslpsu8993r.fsf@cz.mit.edu> <BDF2F587280947CE549536C2@cumulus> <tslfyv3ltrz.fsf@cz.mit.edu>
Originator-Info: login-token=Mulberry:010JlB2TIOqz8TAoc4CjEJbkwNEHUyEDXHo0sEDXUwAP4OrA==; token_authority=postmaster@bristol.ac.uk
X-Mailer: Mulberry/3.1.5 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: -2.8
X-Spam-Level: --
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Content-Transfer-Encoding: 7bit
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Josh Howlett <josh.howlett@bristol.ac.uk>
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org


--On Monday, June 27, 2005 11:10:56 -0400 Sam Hartman 
<hartmans-ietf@mit.edu> wrote:

>>>>>> "Josh" == Josh Howlett <josh.howlett@bristol.ac.uk> writes:
>
>     Josh> --On Sunday, June 26, 2005 16:06:00 -0400 Sam Hartman
>     Josh> <hartmans-ietf@mit.edu> wrote:
>     >> I don't think extending EAP to those other frameworks is the
>     >> right solution. I do think that making it possible to use
>     >> cross-realm AAA is a requirement.
>
>     Josh> In which case, it's important to me that these frameworks
>     Josh> offer mechanisms that share the properties of EAP (or, at
>     Josh> least, the tunelled EAP methods) that make it so good for
>     Josh> cross-realm AAA.
>
> Mind enumerating these requirements for us?

Off the top of my head:

 - plays nicely with the cross-realm AAA protocol _du jour_, RADIUS, and 
successor, Diameter;
 - passthrough mode (authenticator does not participate in authentication, 
beyond acting as a go-between, and simply honours the success/failure code 
returned by the AAA backend);
 - negotiation of EAP methods;
 - extensible attributes: can be returned by the AAA/H to allow richer 
AuthZ at the resource;
 - ability to pass attributes from the AAA/H to both the peer and the 
authenticator simultaneously, but distinctly and privately, through the 
same AAA transaction;
 - security association can be established between the peer (user) and the 
AAA/H, and used to provide privacy across the hops between the peer and the 
AAA/H.
 - use of anonymous NAIs ("anonymous@example.com") to allow anonymous 
proxying of requests;
 - support for legacy AuthN mechanisms;

josh.

-- 
-----------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: josh.howlett@bris.ac.uk
------------------------------------------------------------

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech