RE: [SECMECH] AAA requirement for middleware

Josh Howlett <Josh.Howlett@bristol.ac.uk> Tue, 28 June 2005 19:39 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DnLw2-0005gd-U5; Tue, 28 Jun 2005 15:39:54 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DnLw2-0005gN-Cf for secmech@megatron.ietf.org; Tue, 28 Jun 2005 15:39:54 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA11248 for <secmech@ietf.org>; Tue, 28 Jun 2005 15:39:51 -0400 (EDT)
Received: from dirg.bris.ac.uk ([137.222.10.102]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DnMJJ-0002UN-JI for secmech@ietf.org; Tue, 28 Jun 2005 16:03:58 -0400
Received: from shark.cse.bris.ac.uk ([137.222.12.110]) by dirg.bris.ac.uk with esmtp (Exim 4.51) id 1DnLtJ-0000FC-7g; Tue, 28 Jun 2005 20:37:06 +0100
Received: from localhost (localhost [127.0.0.1]) by shark.cse.bris.ac.uk (8.11.7-20030918/8.11.6) with ESMTP id j5SJZiv02247; Tue, 28 Jun 2005 20:35:44 +0100 (BST)
Date: Tue, 28 Jun 2005 20:35:44 +0100 (BST)
From: Josh Howlett <Josh.Howlett@bristol.ac.uk>
X-X-Sender: bujfxh@shark.cse.bris.ac.uk
To: "Salowey, Joe" <jsalowey@cisco.com>
Subject: RE: [SECMECH] AAA requirement for middleware
In-Reply-To: <7210B31550AC934A8637D6619739CE69056DCF3E@e2k-sea-xch2.sea-alpha.cisco.com>
Message-ID: <Pine.GSO.4.44.0506281951330.2267-100000@shark.cse.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: -2.8
X-Spam-Level: --
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

Hi Sam,

On Tue, 28 Jun 2005, Salowey, Joe wrote:
> I tried to state your requirements below as requirements for generally
> useful authentication mechanisms.

Your restatements are good. I have appended the additional
clarifications as requested below.

> >  - extensible attributes: can be returned by the AAA/H to
> > allow richer AuthZ at the resource;
>
> [Joe] Generally useful mechanism should be able to exchange
> authenticated data between authenticated parties and export this data to
> the calling framework. In the GUAM draft I referred to this as channel
> bindings (EAP).

FWIW, a useful outcome of the SECMECH discussion might be a consistent
glossary :-)

> >  - ability to pass attributes from the AAA/H to both the peer
> > and the authenticator simultaneously, but distinctly and
> > privately, through the same AAA transaction;
>
> [Joe] can you elaborate on this?

This is a special case of the previous requirement. Attributes can be
passed from the AAA/H to the NAS and the peer within independent
channel bindings (?) but over the same transport (ie. TTLS (binding
to peer), over EAP, over RADIUS (binding to NAS)).

> >  - support for legacy AuthN mechanisms;
>
> [Joe] I expect that this would depend upon the specific generally useful
> mechanism  and the legacy mechanism.  Not all generally useful
> mechanisms will support legacy AuthN mechanisms. What legacy mechanisms
> are you interested in supporting?

Tunneled cleartext credentials.

best regards, josh.

------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: josh.howlett@bris.ac.uk
------------------------------------------------------------


_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech