RE: [SECMECH] AAA requirement for middleware

"Salowey, Joe" <> Tue, 28 June 2005 16:53 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1DnJLT-0008AW-6a; Tue, 28 Jun 2005 12:53:59 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1DnJLR-00089k-6J for; Tue, 28 Jun 2005 12:53:57 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id MAA00614 for <>; Tue, 28 Jun 2005 12:53:54 -0400 (EDT)
Received: from ([] by with esmtp (Exim 4.33) id 1DnJko-000208-AS for; Tue, 28 Jun 2005 13:20:11 -0400
Received: from ( by with ESMTP; 28 Jun 2005 09:53:47 -0700
Received: from ( []) by (8.12.10/8.12.6) with ESMTP id j5SGrfod004499; Tue, 28 Jun 2005 09:53:41 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SECMECH] AAA requirement for middleware
Date: Tue, 28 Jun 2005 09:58:02 -0700
Message-ID: <>
Thread-Topic: [SECMECH] AAA requirement for middleware
Thread-Index: AcV7MmtOFq+LO0poSEiMVSsDAXX1CgAvK/Vw
From: "Salowey, Joe" <>
To: "Josh Howlett" <>, "Sam Hartman" <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
Content-Transfer-Encoding: quoted-printable
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Hi Josh,

I just posted a link to an Internet draft I have been working on about
creating generally useful authentication mechanisms (GUAM).  

I tried to state your requirements below as requirements for generally
useful authentication mechanisms. 

>  - plays nicely with the cross-realm AAA protocol _du jour_, 
> RADIUS, and successor, Diameter;

[Joe] Generally useful mechanisms should be usable in the EAP

Currently to support RADIUS or DIAMETER it is helpful to be able to use
an authentication mechanism within the EAP framework.  There are other
possibilities but EAP provides a nice interface to AAA servers. 

>  - passthrough mode (authenticator does not participate in 
> authentication, beyond acting as a go-between, and simply 
> honours the success/failure code returned by the AAA backend);

[Joe] Generally useful mechanisms should perform authentication between
two parties and should expect than an arbitrary number of proxies
between the parties may handle the messages.

>  - negotiation of EAP methods;

[Joe] There should be a secure means of negotiating generally useful
mechanisms.  I assume you mean protected negotiation of EAP methods
(perhaps within a tunnel). 

>  - extensible attributes: can be returned by the AAA/H to 
> allow richer AuthZ at the resource;

[Joe] Generally useful mechanism should be able to exchange
authenticated data between authenticated parties and export this data to
the calling framework. In the GUAM draft I referred to this as channel
bindings (EAP).  

>  - ability to pass attributes from the AAA/H to both the peer 
> and the authenticator simultaneously, but distinctly and 
> privately, through the same AAA transaction;

[Joe] can you elaborate on this?

>  - security association can be established between the peer 
> (user) and the AAA/H, and used to provide privacy across the 
> hops between the peer and the AAA/H.

[Joe] Generally useful mechanisms should provide the ability to provide
confidentiality for the data exchanged as channel binding (eap). This
might not be a general requirement for all mechanisms, but a desirable
feature (integrity protection should be required).    

>  - use of anonymous NAIs ("") to allow 
> anonymous proxying of requests;

[Joe] Generally useful mechanisms should allow for privacy of the
identity of one of the parties. This might not be a general requirement
for all mechanisms, but it is desirable feature of mechanisms.   

>  - support for legacy AuthN mechanisms;

[Joe] I expect that this would depend upon the specific generally useful
mechanism  and the legacy mechanism.  Not all generally useful
mechanisms will support legacy AuthN mechanisms. What legacy mechanisms
are you interested in supporting?  

SECMECH mailing list