From hartmans@mit.edu Tue Jan 31 02:44:50 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49CDC21F8665 for ; Tue, 31 Jan 2012 02:44:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s5+lyz-osUrc for ; Tue, 31 Jan 2012 02:44:49 -0800 (PST) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id BAB3621F8655 for ; Tue, 31 Jan 2012 02:44:49 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 68DB4203C0 for ; Tue, 31 Jan 2012 05:43:49 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 7293B4690; Tue, 31 Jan 2012 05:44:32 -0500 (EST) From: Sam Hartman To: abfab@ietf.org References: Date: Tue, 31 Jan 2012 05:44:32 -0500 In-Reply-To: (Sam Hartman's message of "Wed, 18 Jan 2012 08:33:00 -0500") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Tue, 07 Feb 2012 04:35:11 -0800 Subject: Re: [abfab] [#31] need help with errors for draft-ietf-abfab-gss-eap X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2012 10:44:50 -0000 Folks, I have not received any feedback on this issue. The chairs willing it is my intent to move forward with the error codes that our implementation can send as an initial set for the error code registry. I hope to have a new version of the draft ready by Feb 16 or so, possibly even as soon as this week. From ietf@augustcellars.com Mon Feb 13 15:41:40 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51B221E8055 for ; Mon, 13 Feb 2012 15:41:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[AWL=-1.097, BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZagjnLf534E for ; Mon, 13 Feb 2012 15:41:40 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA6E21E8024 for ; Mon, 13 Feb 2012 15:41:40 -0800 (PST) Received: from Tobias (exodus.augustcellars.com [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 0C24D2CA08 for ; Mon, 13 Feb 2012 15:41:39 -0800 (PST) From: "Jim Schaad" To: Date: Mon, 13 Feb 2012 15:40:53 -0800 Message-ID: <025c01cceaa8$ed549350$c7fdb9f0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Content-Language: en-us Thread-index: AczqqKWZudzMUT9oQtaqH+szLsazEg== Subject: [abfab] Update to the X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2012 23:41:41 -0000 I would like to verify that we are going to get an updated architecture document published some time real soon now. I just notice that the document has apparently expired w/o being re-published. I was expecting to see some discussion of the issues that I put into the tracker as requested by the chairs at the last face-to-face as an indication that updates were happening and have not yet seen any. (Unless my system is bouncing these specific mail messages.) Jim From hannes.tschofenig@gmx.net Tue Feb 14 02:21:58 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4807021F879F for ; Tue, 14 Feb 2012 02:21:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.86 X-Spam-Level: X-Spam-Status: No, score=-101.86 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xok2Rryi8lgL for ; Tue, 14 Feb 2012 02:21:57 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 0CA0D21F87A2 for ; Tue, 14 Feb 2012 02:21:56 -0800 (PST) Received: (qmail invoked by alias); 14 Feb 2012 10:21:54 -0000 Received: from unknown (EHLO [10.255.132.95]) [192.100.123.77] by mail.gmx.net (mp012) with SMTP; 14 Feb 2012 11:21:54 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX19gWm9jCaJgqmIu7CTvgjX9xslJUZDntMiONFaF9q 5BPyhu9KKqsvpV Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Hannes Tschofenig In-Reply-To: <025c01cceaa8$ed549350$c7fdb9f0$@augustcellars.com> Date: Tue, 14 Feb 2012 12:21:48 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <49DBF96B-73E0-46EA-BAF6-E07E95E46C46@gmx.net> References: <025c01cceaa8$ed549350$c7fdb9f0$@augustcellars.com> To: "Jim Schaad" X-Mailer: Apple Mail (2.1084) X-Y-GMX-Trusted: 0 Cc: abfab@ietf.org Subject: [abfab] draft-ietf-abfab-arch-00 -- Re: Update to the X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 10:21:58 -0000 Hi Jim,=20 didn't spot the message due to the strange subject header.=20 Anyway, I am happy to update the draft by, let's say, next week.=20 Ciao Hannes On Feb 14, 2012, at 1:40 AM, Jim Schaad wrote: > I would like to verify that we are going to get an updated = architecture > document published some time real soon now. I just notice that the = document > has apparently expired w/o being re-published. I was expecting to see = some > discussion of the issues that I put into the tracker as requested by = the > chairs at the last face-to-face as an indication that updates were = happening > and have not yet seen any. (Unless my system is bouncing these = specific > mail messages.) >=20 > Jim >=20 >=20 > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From ietf@augustcellars.com Sat Feb 18 10:13:53 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6533221F84CD for ; Sat, 18 Feb 2012 10:13:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.165 X-Spam-Level: X-Spam-Status: No, score=-3.165 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qdqrRiB0KRwe for ; Sat, 18 Feb 2012 10:13:53 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 07CFC21F84A2 for ; Sat, 18 Feb 2012 10:13:53 -0800 (PST) Received: from Tobias (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id E31EE2C9F1 for ; Sat, 18 Feb 2012 10:13:52 -0800 (PST) From: "Jim Schaad" To: Date: Sat, 18 Feb 2012 10:13:08 -0800 Message-ID: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AczuZ/efckE7rE1PRvGNekgkQagI1g== Content-Language: en-us Subject: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 18:13:53 -0000 Those that exist in the ether for the Plasma project have suddenly decided that they would like to see a new capability that I am not sure is doable in the ABFAB space. Or rather I think it is partly doable but not complete. They have decided that in some circumstances they want to validate and get information about both the user and the computer that is being used by the client. It is relatively easy to do the authentication portion using the TTLS EAP method if both the client and the server know that it needs to be done. However, I do not know of any way to do the following: 1. Have the RP tell the IdP that it wants to have both the client machine and the client user authenticated. 2. Allow the RP to send a SAML query to the IdP to get attributes of the client machine They also want to be able to get access to a NIA type assessment of the client machine, but I am doing my best to ignore that for the moment. I don't have enough knowledge of NIA to even make a guess if this is a doable operation. Jim From hartmans@painless-security.com Sat Feb 18 11:29:15 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1974A21F8597 for ; Sat, 18 Feb 2012 11:29:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.335 X-Spam-Level: X-Spam-Status: No, score=-2.335 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74ssyEUpHVJu for ; Sat, 18 Feb 2012 11:29:14 -0800 (PST) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 8B73D21F857F for ; Sat, 18 Feb 2012 11:29:11 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 8FE6B2023F; Sat, 18 Feb 2012 14:27:49 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A93DA434F; Sat, 18 Feb 2012 14:29:02 -0500 (EST) From: Sam Hartman To: "Jim Schaad" References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> Date: Sat, 18 Feb 2012 14:29:02 -0500 In-Reply-To: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> (Jim Schaad's message of "Sat, 18 Feb 2012 10:13:08 -0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 19:29:15 -0000 The current EAP tunnel draft supports multiple authentications. One intent for that is both for device and user authentication. Is that good enough? From ietf@augustcellars.com Sat Feb 18 12:04:40 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF0411E8072 for ; Sat, 18 Feb 2012 12:04:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.339 X-Spam-Level: X-Spam-Status: No, score=-3.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6la21i6ONraT for ; Sat, 18 Feb 2012 12:04:39 -0800 (PST) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 0C73D21F84D1 for ; Sat, 18 Feb 2012 12:04:39 -0800 (PST) Received: from Tobias (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id C6AA22C9F4; Sat, 18 Feb 2012 12:04:38 -0800 (PST) From: "Jim Schaad" To: "'Sam Hartman'" References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> In-Reply-To: Date: Sat, 18 Feb 2012 12:03:54 -0800 Message-ID: <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLLn4uPfb0E2UHG8iAsASGqxEOhsQGIv2+6lDlrn5A= Content-Language: en-us Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 20:04:40 -0000 Can I do a SAML query for attributes about the device? We can do one for the user. > -----Original Message----- > From: Sam Hartman [mailto:hartmans@painless-security.com] > Sent: Saturday, February 18, 2012 11:29 AM > To: Jim Schaad > Cc: abfab@ietf.org > Subject: Re: [abfab] Dual authentication > > The current EAP tunnel draft supports multiple authentications. > One intent for that is both for device and user authentication. > Is that good enough? From gabilm@um.es Sat Feb 18 12:25:58 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4105B21F8569 for ; Sat, 18 Feb 2012 12:25:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.299 X-Spam-Level: X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwsVtao2qK0T for ; Sat, 18 Feb 2012 12:25:57 -0800 (PST) Received: from xenon12.um.es (xenon12.um.es [155.54.212.166]) by ietfa.amsl.com (Postfix) with ESMTP id 80FFD21F8539 for ; Sat, 18 Feb 2012 12:25:57 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by xenon12.um.es (Postfix) with ESMTP id CE1491DC7D; Sat, 18 Feb 2012 21:25:55 +0100 (CET) X-Virus-Scanned: by antispam in UMU at xenon12.um.es Received: from xenon12.um.es ([127.0.0.1]) by localhost (xenon12.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id YDzsuZZEezoj; Sat, 18 Feb 2012 21:25:55 +0100 (CET) Received: from MacBook-Pro-de-Gabriel-Lopez.local (unknown [84.236.208.104]) (Authenticated sender: gabilm) by xenon12.um.es (Postfix) with ESMTPA id 27C2B1DC6D; Sat, 18 Feb 2012 21:25:53 +0100 (CET) Message-ID: <4F400950.9090103@um.es> Date: Sat, 18 Feb 2012 21:25:52 +0100 From: =?UTF-8?B?R2FicmllbCBMw7NwZXo=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1 MIME-Version: 1.0 To: Jim Schaad References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> In-Reply-To: <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> X-Enigmail-Version: 1.3.5 OpenPGP: id=8D119153 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 20:25:58 -0000 You can make use of NEA, http://datatracker.ietf.org/wg/nea/ combined with SAML. I can send a more elaborate answer on Monday regards, Gabi. El 18/02/12 21:03, Jim Schaad escribió: > Can I do a SAML query for attributes about the device? We can do one for > the user. > >> -----Original Message----- >> From: Sam Hartman [mailto:hartmans@painless-security.com] >> Sent: Saturday, February 18, 2012 11:29 AM >> To: Jim Schaad >> Cc: abfab@ietf.org >> Subject: Re: [abfab] Dual authentication >> >> The current EAP tunnel draft supports multiple authentications. >> One intent for that is both for device and user authentication. >> Is that good enough? > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel L—pez Mill‡n Departamento de Ingenier’a de la Informaci—n y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es From klaas@cisco.com Sat Feb 18 13:39:20 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B2D21F84CF for ; Sat, 18 Feb 2012 13:39:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.903 X-Spam-Level: X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6MydEUS6r1h for ; Sat, 18 Feb 2012 13:39:20 -0800 (PST) Received: from out42-ams.mf.surf.net (out42-ams.mf.surf.net [145.0.1.42]) by ietfa.amsl.com (Postfix) with ESMTP id 9971121F84C8 for ; Sat, 18 Feb 2012 13:39:19 -0800 (PST) Received: from teletubbie.het.net.je (teletubbie.het.net.je [192.87.110.29]) by outgoing2-ams.mf.surf.net (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q1ILd7sf012328; Sat, 18 Feb 2012 22:39:07 +0100 Received: from rtp-isp-nat1.cisco.com ([64.102.254.33] helo=[10.116.7.46]) by teletubbie.het.net.je with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Ryryw-000N5x-Pn; Sat, 18 Feb 2012 22:38:15 +0100 References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> <4F400950.9090103@um.es> In-Reply-To: <4F400950.9090103@um.es> Mime-Version: 1.0 (1.0) Content-Type: text/plain; charset=utf-8 Message-Id: Content-Transfer-Encoding: quoted-printable X-Mailer: iPad Mail (9A405) From: Klaas Wierenga Date: Sat, 18 Feb 2012 22:38:19 +0100 To: =?utf-8?Q?Gabriel_L=C3=B3pez?= X-Antivirus: no malware found X-Bayes-Prob: 0.0001 (Score 0, tokens from: @@RPTN) X-CanIt-Geo: ip=192.87.110.29; country=NL; latitude=52.5000; longitude=5.7500; http://maps.google.com/maps?q=52.5000,5.7500&z=6 X-CanItPRO-Stream: p-out:default (inherits from p:default,base:default) X-Canit-Stats-ID: 0vGzxD7W6 - c9ce571ccf41 - 20120218 (trained as not-spam) X-Scanned-By: CanIt (www . roaringpenguin . com) on 145.0.1.42 Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 21:39:20 -0000 Yes, and if I am not mistaken Josh specced federated nea Klaas Sent from my iPad On 18 feb. 2012, at 21:26, "Gabriel L=C3=B3pez" wrote: >=20 > You can make use of NEA, http://datatracker.ietf.org/wg/nea/ > combined with SAML. >=20 > I can send a more elaborate answer on Monday >=20 > regards, Gabi. >=20 > El 18/02/12 21:03, Jim Schaad escribi=C3=B3: >> Can I do a SAML query for attributes about the device? We can do one for= >> the user. >>=20 >>> -----Original Message----- >>> From: Sam Hartman [mailto:hartmans@painless-security.com] >>> Sent: Saturday, February 18, 2012 11:29 AM >>> To: Jim Schaad >>> Cc: abfab@ietf.org >>> Subject: Re: [abfab] Dual authentication >>>=20 >>> The current EAP tunnel draft supports multiple authentications. >>> One intent for that is both for device and user authentication. >>> Is that good enough? >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab >=20 >=20 > --=20 > ---------------------------------------------------------------- > Gabriel L=C2=97pez Mill=C2=87n > Departamento de Ingenier=C2=92a de la Informaci=C2=97n y las Comunicacione= s > University of Murcia > Spain > Tel: +34 868888504 > Fax: +34 868884151 > email: gabilm@um.es >=20 > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From hartmans@painless-security.com Sat Feb 18 17:31:47 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93F2221E801A for ; Sat, 18 Feb 2012 17:31:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.331 X-Spam-Level: X-Spam-Status: No, score=-2.331 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8HxtwTYnwoZh for ; Sat, 18 Feb 2012 17:31:46 -0800 (PST) Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id AEC1621E8011 for ; Sat, 18 Feb 2012 17:31:46 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id EDA8D20383; Sat, 18 Feb 2012 20:30:23 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 03D87434F; Sat, 18 Feb 2012 20:31:34 -0500 (EST) From: Sam Hartman To: "Jim Schaad" References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> Date: Sat, 18 Feb 2012 20:31:34 -0500 In-Reply-To: <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> (Jim Schaad's message of "Sat, 18 Feb 2012 12:03:54 -0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 01:31:47 -0000 >>>>> "Jim" == Jim Schaad writes: Jim> Can I do a SAML query for attributes about the device? We can Jim> do one for the user. Not yet. If you need it we could specify how to do it. From gabilm@um.es Mon Feb 20 04:26:09 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B2A721F86BB for ; Mon, 20 Feb 2012 04:26:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.299 X-Spam-Level: X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pp3+5y3kW8U for ; Mon, 20 Feb 2012 04:26:05 -0800 (PST) Received: from xenon14.um.es (xenon14.um.es [155.54.212.168]) by ietfa.amsl.com (Postfix) with ESMTP id 9C61221F8685 for ; Mon, 20 Feb 2012 04:26:04 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by xenon14.um.es (Postfix) with ESMTP id 2FB175D473; Mon, 20 Feb 2012 13:26:03 +0100 (CET) X-Virus-Scanned: by antispam in UMU at xenon14.um.es Received: from xenon14.um.es ([127.0.0.1]) by localhost (xenon14.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id xHnAJx7I6i4g; Mon, 20 Feb 2012 13:25:58 +0100 (CET) Received: from eduroam_um-231-93.inf.um.es (eduroam_um-231-93.inf.um.es [155.54.231.93]) (Authenticated sender: gabilm) by xenon14.um.es (Postfix) with ESMTPA id DF6B65D472; Mon, 20 Feb 2012 13:25:57 +0100 (CET) Message-ID: <4F423BD5.7040503@um.es> Date: Mon, 20 Feb 2012 13:25:57 +0100 From: =?UTF-8?B?R2FicmllbCBMw7NwZXo=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1 MIME-Version: 1.0 To: Jim Schaad References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> <4F400950.9090103@um.es> In-Reply-To: <4F400950.9090103@um.es> X-Enigmail-Version: 1.3.5 OpenPGP: id=8D119153 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 12:26:09 -0000 Hi, Briefly (please correct me if i'm wrong) , NEA/TNC defines two entities, NEA client (the end user pc/laptod device) and the NEA server (usually located in the home RADIUS server). Transporting NEA/TNC packets over EAP, NEA/TNC peers make a Platform Credentials Authentication, where the own device is authenticated (note that the end user has already been authenticated in a previous step). Once the device is authenticated, device/server posture attributes are exchanged and validated. If the server decides device's posture attributes are ok, then the process ends successfully. This scenario presents a problem in a federated AAA network. The final decision about posture attributes is taken by the home RADIUS server, which it is not a realistic situation (i.e. visited organization only provides network connectivity to remote users that have an update antivirus software running. This decision should be controlled by the visited organization, not the home one). To solve this situation, the Trusted Computing Group defined the integration of NEA/TNC with SAML http://www.trustedcomputinggroup.org/files/resource_files/51F4B514-1D09-3519-ADEF8EA701461A74/TNC_Federated_TNC_v1.0-r26.pdf (sure Josh (co-author) can provide more details) The idea of this proposal is to, after the platform authentication, recover the end user posture attributes, from the home to the visited organization, by means of SAML Attribute Queries/Responses (in a second round-trip, once the RADIUS-ACCEPT is sent back to the visited organization). We also proposes a similar approach for eduroam some time ago. In the case of abfab, if we want to avoid a second round-trip, those posture attributes should be collected by the home organization during the NEA/EAP exchange, posture attributes should be stored (not evaluated) in the home idP, together or not with the own end user attributes, and then, sent those back to the visited organization encapsulated in the SAML attribute statement over the RADIUS protocol. regards, Gabi. El 18/02/12 21:25, Gabriel López escribió: > You can make use of NEA, http://datatracker.ietf.org/wg/nea/ > combined with SAML. > > I can send a more elaborate answer on Monday > > regards, Gabi. > > El 18/02/12 21:03, Jim Schaad escribió: >> Can I do a SAML query for attributes about the device? We can do one for >> the user. >> >>> -----Original Message----- >>> From: Sam Hartman [mailto:hartmans@painless-security.com] >>> Sent: Saturday, February 18, 2012 11:29 AM >>> To: Jim Schaad >>> Cc: abfab@ietf.org >>> Subject: Re: [abfab] Dual authentication >>> >>> The current EAP tunnel draft supports multiple authentications. >>> One intent for that is both for device and user authentication. >>> Is that good enough? >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab > -- ---------------------------------------------------------------- Gabriel L—pez Mill‡n Departamento de Ingenier’a de la Informaci—n y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es From Josh.Howlett@ja.net Mon Feb 20 08:29:08 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496AE21F8667 for ; Mon, 20 Feb 2012 08:29:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.855 X-Spam-Level: X-Spam-Status: No, score=-101.855 tagged_above=-999 required=5 tests=[AWL=-0.745, BAYES_05=-1.11, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m+ne8-lfS7Xe for ; Mon, 20 Feb 2012 08:29:07 -0800 (PST) Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by ietfa.amsl.com (Postfix) with ESMTP id 76FDC21F8665 for ; Mon, 20 Feb 2012 08:29:02 -0800 (PST) Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id C43DF4A6B67_F4274CBB; Mon, 20 Feb 2012 16:28:59 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 8FC984A6B63_F4274CBF; Mon, 20 Feb 2012 16:28:59 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0355.002; Mon, 20 Feb 2012 16:28:59 +0000 From: Josh Howlett To: Jim Schaad , "abfab@ietf.org" Thread-Topic: [abfab] Dual authentication Thread-Index: AczuZ/efckE7rE1PRvGNekgkQagI1gBhMTUA Date: Mon, 20 Feb 2012 16:28:58 +0000 Message-ID: In-Reply-To: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.14.0.111121 x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 16:29:08 -0000 > >Those that exist in the ether for the Plasma project have suddenly decided >that they would like to see a new capability that I am not sure is doable >in >the ABFAB space. Or rather I think it is partly doable but not complete. I think that is an accurate summary. >They have decided that in some circumstances they want to validate and get >information about both the user and the computer that is being used by the >client. It is relatively easy to do the authentication portion using the >TTLS EAP method if both the client and the server know that it needs to be >done. However, I do not know of any way to do the following: > >1. Have the RP tell the IdP that it wants to have both the client machine >and the client user authenticated. Abfab certainly doesn't have those semantics. I can't recall if NEA does. I would be surprised if it did, but I can't imagine it would be difficult to add (it's probably just a AAA-bound flag?). >2. Allow the RP to send a SAML query to the IdP to get attributes of the >client machine You could use either a SOAP-bound or AAA-bound SAML query. >They also want to be able to get access to a NIA type assessment of the >client machine, but I am doing my best to ignore that for the moment. I >don't have enough knowledge of NIA to even make a guess if this is a >doable >operation. I can't see a reason why NEA couldn't be used with Abfab today. You might want to look at the Federated TNC spec; this only addresses your use case for the web-bound case, but some of concepts might be useful. I don't think it would be hard to port it to Abfab/NEA. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From ietf@augustcellars.com Mon Feb 20 14:48:24 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1724521F85CF for ; Mon, 20 Feb 2012 14:48:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.413 X-Spam-Level: X-Spam-Status: No, score=-3.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ioMTA9I2TqRD for ; Mon, 20 Feb 2012 14:48:23 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4188F21F85C5 for ; Mon, 20 Feb 2012 14:48:23 -0800 (PST) Received: from Tobias (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id D2B4E2CA20; Mon, 20 Feb 2012 14:48:22 -0800 (PST) From: "Jim Schaad" To: "'Josh Howlett'" , References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> In-Reply-To: Date: Mon, 20 Feb 2012 14:47:17 -0800 Message-ID: <01a401ccf021$a524c860$ef6e5920$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQH7RJANkkmhJpjDNuvosmFkPKOtzZXptOzA Content-Language: en-us Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 22:48:24 -0000 Thanks to both you and Gabriel for response. > -----Original Message----- > From: Josh Howlett [mailto:Josh.Howlett@ja.net] > Sent: Monday, February 20, 2012 8:29 AM > To: Jim Schaad; abfab@ietf.org > Subject: Re: [abfab] Dual authentication > > > > >Those that exist in the ether for the Plasma project have suddenly > >decided that they would like to see a new capability that I am not sure > >is doable in the ABFAB space. Or rather I think it is partly doable > >but not complete. > > I think that is an accurate summary. > > >They have decided that in some circumstances they want to validate and > >get information about both the user and the computer that is being used > >by the client. It is relatively easy to do the authentication portion > >using the TTLS EAP method if both the client and the server know that > >it needs to be done. However, I do not know of any way to do the > following: > > > >1. Have the RP tell the IdP that it wants to have both the client > >machine and the client user authenticated. > > Abfab certainly doesn't have those semantics. I can't recall if NEA does. > I would be surprised if it did, but I can't imagine it would be difficult to add > (it's probably just a AAA-bound flag?). Except for the question of how to frame the SAML query, I image doing the SAML query might be sufficient to tell the IdP that a NEA assessment is desired. The question would be one of should there be two SAML queries or one. If you have two, then how do you distinguish between the client query and the machine query. If you have one, then are there any attributes which might apply to both a user and a machine? > > >2. Allow the RP to send a SAML query to the IdP to get attributes of > >the client machine > > You could use either a SOAP-bound or AAA-bound SAML query. > > >They also want to be able to get access to a NIA type assessment of the > >client machine, but I am doing my best to ignore that for the moment. > >I don't have enough knowledge of NIA to even make a guess if this is a > >doable operation. > > I can't see a reason why NEA couldn't be used with Abfab today. > > You might want to look at the Federated TNC spec; this only addresses your > use case for the web-bound case, but some of concepts might be useful. I > don't think it would be hard to port it to Abfab/NEA. I will have to look at the spec. I demonstrated my lack of knowledge about NEA by using the wrong TLA to begin with. I assume that if you run a TTLS that the NEA/EAP dialog would be able to occur inside the same tunnel as the user and machine authentication steps. I am not sure if that would add material to the key generation but that is probably not of any importance. > > Josh. > > > > JANET(UK) is a trading name of The JNT Association, a company limited by > guarantee which is registered in England under No. 2881024 and whose > Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, > Oxfordshire. OX11 0SG From ietf@augustcellars.com Mon Feb 20 14:48:24 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3EA21F85C5 for ; Mon, 20 Feb 2012 14:48:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.086 X-Spam-Level: X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[AWL=-1.187, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_81=0.6, J_CHICKENPOX_91=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0xIZ7riGMuP for ; Mon, 20 Feb 2012 14:48:23 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9805321F85CE for ; Mon, 20 Feb 2012 14:48:23 -0800 (PST) Received: from Tobias (176.120.168.69.static.onlinenw.com [69.168.120.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 645E22CA28; Mon, 20 Feb 2012 14:48:23 -0800 (PST) From: "Jim Schaad" To: =?utf-8?Q?'Gabriel_L=C3=B3pez'?= References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <011601ccee78$70fe6c30$52fb4490$@augustcellars.com> <4F400950.9090103@um.es> <4F423BD5.7040503@um.es> In-Reply-To: <4F423BD5.7040503@um.es> Date: Mon, 20 Feb 2012 14:47:38 -0800 Message-ID: <01a501ccf021$a563cd30$f02b6790$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLLn4uPfb0E2UHG8iAsASGqxEOhsQGIv2+6At/DaIwCPHVQ6QLKWqd2k/2GMeA= Content-Language: en-us Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 22:48:24 -0000 > -----Original Message----- > From: Gabriel L=C3=B3pez [mailto:gabilm@um.es] > Sent: Monday, February 20, 2012 4:26 AM > To: Jim Schaad > Cc: abfab@ietf.org > Subject: Re: [abfab] Dual authentication >=20 >=20 > Hi, >=20 > Briefly (please correct me if i'm wrong) , NEA/TNC defines two = entities, > NEA client (the end user pc/laptod device) and the NEA server (usually > located in the home RADIUS server). > Transporting NEA/TNC packets over EAP, NEA/TNC peers make a = Platform > Credentials Authentication, where the own device is authenticated = (note > that the end user has already been authenticated in a previous step). > Once the device is authenticated, device/server posture attributes = are > exchanged and validated. If the server decides device's posture = attributes > are ok, then the process ends successfully. >=20 > This scenario presents a problem in a federated AAA network. The = final > decision about posture attributes is taken by the home RADIUS server, = which > it is not a realistic situation (i.e. visited organization only = provides network > connectivity to remote users that have an update antivirus software = running. > This decision should be controlled by the visited organization, not = the home > one). >=20 > To solve this situation, the Trusted Computing Group defined the > integration of NEA/TNC with SAML > http://www.trustedcomputinggroup.org/files/resource_files/51F4B514- > 1D09-3519-ADEF8EA701461A74/TNC_Federated_TNC_v1.0-r26.pdf > (sure Josh (co-author) can provide more details) > The idea of this proposal is to, after the platform = authentication, recover > the end user posture attributes, from the home to the visited = organization, > by means of SAML Attribute Queries/Responses (in a second round-trip, > once the RADIUS-ACCEPT is sent back to the visited organization). > We also proposes a similar approach for eduroam some time ago. >=20 > In the case of abfab, if we want to avoid a second round-trip, = those > posture attributes should be collected by the home organization during = the > NEA/EAP exchange, posture attributes should be stored (not > evaluated) in the home idP, together or not with the own end user > attributes, and then, sent those back to the visited organization > encapsulated in the SAML attribute statement over the RADIUS protocol. I would assume that there might be cases where two different assessments = are going to occur. One for the home idP and one for the RP. This = might mean that that it is a requirement that the RP can send it's needs = to the IdP before the posture attributes are collected as they may have = somewhat different needs. Also there might be some issues about mapping = of the posture requriements. However that should be able to be handled = via the standard SAML mapping techniques Jim >=20 > regards, Gabi. >=20 >=20 >=20 > El 18/02/12 21:25, Gabriel L pez escribi : > > You can make use of NEA, http://datatracker.ietf.org/wg/nea/ > > combined with SAML. > > > > I can send a more elaborate answer on Monday > > > > regards, Gabi. > > > > El 18/02/12 21:03, Jim Schaad escribi : > >> Can I do a SAML query for attributes about the device? We can do = one > >> for the user. > >> > >>> -----Original Message----- > >>> From: Sam Hartman [mailto:hartmans@painless-security.com] > >>> Sent: Saturday, February 18, 2012 11:29 AM > >>> To: Jim Schaad > >>> Cc: abfab@ietf.org > >>> Subject: Re: [abfab] Dual authentication > >>> > >>> The current EAP tunnel draft supports multiple authentications. > >>> One intent for that is both for device and user authentication. > >>> Is that good enough? > >> _______________________________________________ > >> abfab mailing list > >> abfab@ietf.org > >> https://www.ietf.org/mailman/listinfo/abfab > > >=20 >=20 > -- > ---------------------------------------------------------------- > Gabriel L?pez Mill?n > Departamento de Ingenier?a de la Informaci?n y las Comunicaciones > University of Murcia Spain > Tel: +34 868888504 > Fax: +34 868884151 > email: gabilm@um.es From internet-drafts@ietf.org Tue Feb 21 01:14:48 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FEC221F84AE; Tue, 21 Feb 2012 01:14:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.584 X-Spam-Level: X-Spam-Status: No, score=-102.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmGsASfFQJbn; Tue, 21 Feb 2012 01:14:41 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 094E821F8551; Tue, 21 Feb 2012 01:14:37 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.64p2 Message-ID: <20120221091435.26665.93468.idtracker@ietfa.amsl.com> Date: Tue, 21 Feb 2012 01:14:35 -0800 Cc: abfab@ietf.org Subject: [abfab] I-D Action: draft-ietf-abfab-usecases-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 09:14:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Application Bridging for Federated Ac= cess Beyond web Working Group of the IETF. Title : Application Bridging for Federated Access Beyond web (AB= FAB) Use Cases Author(s) : Rhys Smith Filename : draft-ietf-abfab-usecases-02.txt Pages : 12 Date : 2012-02-21 Federated authentication has so far been typically associated with Web-based services, but there is growing interest in the application of federated authentication for non-Web services. The goal of this document is to document a selection of the wide variety of contexts whose user experience could be improved through the use of technologies based on the ABFAB architecture and specifications. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-abfab-usecases-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-abfab-usecases-02.txt From smith@Cardiff.ac.uk Tue Feb 21 01:18:13 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7993221F8551 for ; Tue, 21 Feb 2012 01:18:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.941 X-Spam-Level: X-Spam-Status: No, score=-3.941 tagged_above=-999 required=5 tests=[AWL=2.659, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6rfkM8vvP+93 for ; Tue, 21 Feb 2012 01:18:08 -0800 (PST) Received: from smtpout2.cf.ac.uk (smtpout2.cf.ac.uk [131.251.137.139]) by ietfa.amsl.com (Postfix) with ESMTP id DBB7421F8522 for ; Tue, 21 Feb 2012 01:18:02 -0800 (PST) Received: from smtpauth.cf.ac.uk ([131.251.248.19]) by smtpout2.cf.ac.uk with esmtp (Exim 4.76) (envelope-from ) id 1RzlrF-0004ah-JM for abfab@ietf.org; Tue, 21 Feb 2012 09:18:01 +0000 Received: from [131.251.148.37] (helo=dangermouse.insrv.cf.ac.uk) by smtpauth.cf.ac.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1RzlrF-0004vs-Ik for abfab@ietf.org; Tue, 21 Feb 2012 09:18:01 +0000 From: Rhys Smith Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Feb 2012 09:18:01 +0000 References: <20120221091437.26665.58989.idtracker@ietfa.amsl.com> To: abfab@ietf.org Message-Id: Mime-Version: 1.0 (Apple Message framework v1257) X-Mailer: Apple Mail (2.1257) Sender: smith@Cardiff.ac.uk X-Virus-Scanned: Cardiff University Virus Scanner X-Virus-Scanned: Cardiff University Virus Scanner Subject: [abfab] Fwd: New Version Notification for draft-ietf-abfab-usecases-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 09:18:13 -0000 Hi all, I've just posted a new version of the use-case draft - see = http://tools.ietf.org/html/draft-ietf-abfab-usecases-02 Only substantive difference since -01 is the inclusion of the federated = cross-layer use case that we discussed before christmas. Apologies for = not posting it sooner, life got in the way. FYI I am intending on tidying up some of the holes and todos and to = submit an -03 ready for ietf83. If anyone has any new use cases for ABFAB that should be included in = that, please let me know! Best, R. -- Dr Rhys Smith Identity, Access, and Middleware Specialist Cardiff University & Janet - the UK's education and research network email: smith@cardiff.ac.uk / rhys.smith@ja.net GPG: 0xDE2F024C Begin forwarded message: > From: internet-drafts@ietf.org > Subject: New Version Notification for draft-ietf-abfab-usecases-02.txt > Date: 21 February 2012 09:14:37 GMT > To: smith@cardiff.ac.uk > Cc: smith@cardiff.ac.uk >=20 > A new version of I-D, draft-ietf-abfab-usecases-02.txt has been = successfully submitted by Rhys Smith and posted to the IETF repository. >=20 > Filename: draft-ietf-abfab-usecases > Revision: 02 > Title: Application Bridging for Federated Access = Beyond web (ABFAB) Use Cases > Creation date: 2012-02-21 > WG ID: abfab > Number of pages: 12 >=20 > Abstract: > Federated authentication has so far been typically associated with > Web-based services, but there is growing interest in the application > of federated authentication for non-Web services. The goal of this > document is to document a selection of the wide variety of contexts > whose user experience could be improved through the use of > technologies based on the ABFAB architecture and specifications. >=20 >=20 >=20 >=20 > The IETF Secretariat From Josh.Howlett@ja.net Tue Feb 21 01:21:09 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B4C321F85A7 for ; Tue, 21 Feb 2012 01:21:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.227 X-Spam-Level: X-Spam-Status: No, score=-102.227 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aEu6aMC7oUXl for ; Tue, 21 Feb 2012 01:21:08 -0800 (PST) Received: from egw002.ukerna.ac.uk (egw002.ukerna.ac.uk [194.81.3.65]) by ietfa.amsl.com (Postfix) with ESMTP id 3C54F21F8595 for ; Tue, 21 Feb 2012 01:21:08 -0800 (PST) Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id BEB3620C7158_F436202B; Tue, 21 Feb 2012 09:21:06 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 8190320C7152_F436202F; Tue, 21 Feb 2012 09:21:06 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0355.002; Tue, 21 Feb 2012 09:21:06 +0000 From: Josh Howlett To: Jim Schaad , "abfab@ietf.org" Thread-Topic: [abfab] Dual authentication Thread-Index: AczuZ/efckE7rE1PRvGNekgkQagI1gBhMTUAAA03A4AAFiIEgA== Date: Tue, 21 Feb 2012 09:21:04 +0000 Message-ID: In-Reply-To: <01a401ccf021$a524c860$ef6e5920$@augustcellars.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.14.0.111121 x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-ID: <11AC43E282979142BDA586045E61AFF2@ukerna.ac.uk> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 09:21:09 -0000 >> >1. Have the RP tell the IdP that it wants to have both the client >> >machine and the client user authenticated. >>=20 >> Abfab certainly doesn't have those semantics. I can't recall if NEA >>does. >> I would be surprised if it did, but I can't imagine it would be >>difficult >to add >> (it's probably just a AAA-bound flag?). > >Except for the question of how to frame the SAML query, I image doing the >SAML query might be sufficient to tell the IdP that a NEA assessment is >desired. That's another approach. > The question would be one of should there be two SAML queries or >one. If you have two, then how do you distinguish between the client >query >and the machine query. If you have one, then are there any attributes >which >might apply to both a user and a machine? An assertion request can name at most one principal, and so this is most likely two queries, if you chose to have a model that considered the user and device to be distinct principals (and so naming them separately). On the other hand, it might be reasonable to consider the device to be an attribute of a principal. A lot depends on the detail of the use case. In any event, I don't think you're going to be particularly constrained by the capabilities of the existing technology. >>=20 >> >2. Allow the RP to send a SAML query to the IdP to get attributes of >> >the client machine >>=20 >> You could use either a SOAP-bound or AAA-bound SAML query. >>=20 >> >They also want to be able to get access to a NIA type assessment of the >> >client machine, but I am doing my best to ignore that for the moment. >> >I don't have enough knowledge of NIA to even make a guess if this is a >> >doable operation. >>=20 >> I can't see a reason why NEA couldn't be used with Abfab today. >>=20 >> You might want to look at the Federated TNC spec; this only addresses >>your >> use case for the web-bound case, but some of concepts might be useful. I >> don't think it would be hard to port it to Abfab/NEA. > >I will have to look at the spec. I demonstrated my lack of knowledge >about >NEA by using the wrong TLA to begin with. I assume that if you run a TTLS >that the NEA/EAP dialog would be able to occur inside the same tunnel as >the >user and machine authentication steps. Correct. > I am not sure if that would add >material to the key generation It doesn't. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From gabilm@um.es Tue Feb 21 02:37:43 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BAE21F8598 for ; Tue, 21 Feb 2012 02:37:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.799 X-Spam-Level: X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0LTldsc48A6 for ; Tue, 21 Feb 2012 02:37:39 -0800 (PST) Received: from xenon12.um.es (xenon12.um.es [155.54.212.166]) by ietfa.amsl.com (Postfix) with ESMTP id B84D921F85F2 for ; Tue, 21 Feb 2012 02:37:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by xenon12.um.es (Postfix) with ESMTP id 6AF4F4BD40; Tue, 21 Feb 2012 11:37:33 +0100 (CET) X-Virus-Scanned: by antispam in UMU at xenon12.um.es Received: from xenon12.um.es ([127.0.0.1]) by localhost (xenon12.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 74wGY0Y3MCmH; Tue, 21 Feb 2012 11:37:28 +0100 (CET) Received: from eduroam_um-231-201.inf.um.es (eduroam_um-231-201.inf.um.es [155.54.231.201]) (Authenticated sender: gabilm) by xenon12.um.es (Postfix) with ESMTPA id A804A4BDC9; Tue, 21 Feb 2012 11:37:27 +0100 (CET) Message-ID: <4F4373E6.5080509@um.es> Date: Tue, 21 Feb 2012 11:37:26 +0100 From: =?UTF-8?B?R2FicmllbCBMw7NwZXo=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1 MIME-Version: 1.0 To: Jim Schaad References: <011001ccee68$f7bdead0$e739c070$@augustcellars.com> <01a401ccf021$a524c860$ef6e5920$@augustcellars.com> In-Reply-To: <01a401ccf021$a524c860$ef6e5920$@augustcellars.com> X-Enigmail-Version: 1.3.5 OpenPGP: id=8D119153 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: abfab@ietf.org Subject: Re: [abfab] Dual authentication X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 10:37:43 -0000 El 20/02/12 23:47, Jim Schaad escribió: > Thanks to both you and Gabriel for response. > > > >> -----Original Message----- >> From: Josh Howlett [mailto:Josh.Howlett@ja.net] >> Sent: Monday, February 20, 2012 8:29 AM >> To: Jim Schaad; abfab@ietf.org >> Subject: Re: [abfab] Dual authentication >> >>> Those that exist in the ether for the Plasma project have suddenly >>> decided that they would like to see a new capability that I am not sure >>> is doable in the ABFAB space. Or rather I think it is partly doable >>> but not complete. >> I think that is an accurate summary. >> >>> They have decided that in some circumstances they want to validate and >>> get information about both the user and the computer that is being used >>> by the client. It is relatively easy to do the authentication portion >>> using the TTLS EAP method if both the client and the server know that >>> it needs to be done. However, I do not know of any way to do the >> following: >>> 1. Have the RP tell the IdP that it wants to have both the client >>> machine and the client user authenticated. >> Abfab certainly doesn't have those semantics. I can't recall if NEA does. >> I would be surprised if it did, but I can't imagine it would be difficult Although NEA specifications do not limit the entity starting the NEA exchange (client or server). EAP-TNC specifies the server starts the attributes exchange. > to add >> (it's probably just a AAA-bound flag?). > Except for the question of how to frame the SAML query, I image doing the > SAML query might be sufficient to tell the IdP that a NEA assessment is > desired. The question would be one of should there be two SAML queries or > one. If you have two, then how do you distinguish between the client query > and the machine query. If you have one, then are there any attributes which > might apply to both a user and a machine? I think SAML is not necessary to start the NEA negotiation, the use of EAP-TNC Start from the RP could be defined in some way. > >>> 2. Allow the RP to send a SAML query to the IdP to get attributes of >>> the client machine >> You could use either a SOAP-bound or AAA-bound SAML query. >> >>> They also want to be able to get access to a NIA type assessment of the >>> client machine, but I am doing my best to ignore that for the moment. >>> I don't have enough knowledge of NIA to even make a guess if this is a >>> doable operation. >> I can't see a reason why NEA couldn't be used with Abfab today. >> >> You might want to look at the Federated TNC spec; this only addresses your >> use case for the web-bound case, but some of concepts might be useful. I >> don't think it would be hard to port it to Abfab/NEA. > I will have to look at the spec. I demonstrated my lack of knowledge about > NEA by using the wrong TLA to begin with. I assume that if you run a TTLS > that the NEA/EAP dialog would be able to occur inside the same tunnel as the > user and machine authentication steps. sure regards, Gabi. > I am not sure if that would add > material to the key generation but that is probably not of any importance. > >> Josh. >> >> >> >> JANET(UK) is a trading name of The JNT Association, a company limited by >> guarantee which is registered in England under No. 2881024 and whose >> Registered Office is at Lumen House, Library Avenue, Harwell Oxford, > Didcot, >> Oxfordshire. OX11 0SG > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel L—pez Mill‡n Departamento de Ingenier’a de la Informaci—n y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es From smith@Cardiff.ac.uk Wed Feb 22 03:50:03 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5348A21F86B4 for ; Wed, 22 Feb 2012 03:50:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.044 X-Spam-Level: X-Spam-Status: No, score=-4.044 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rub9s5LwTCg0 for ; Wed, 22 Feb 2012 03:49:59 -0800 (PST) Received: from smtpout2.cf.ac.uk (smtpout2.cf.ac.uk [131.251.137.139]) by ietfa.amsl.com (Postfix) with ESMTP id 6AEF621F86B3 for ; Wed, 22 Feb 2012 03:49:55 -0800 (PST) Received: from smtpauth.cf.ac.uk ([131.251.248.19]) by smtpout2.cf.ac.uk with esmtp (Exim 4.76) (envelope-from ) id 1S0Ahj-0000Sh-OW; Wed, 22 Feb 2012 11:49:51 +0000 Received: from [10.13.137.88] (helo=m0151.insrv.cu-wifi.cf.ac.uk) by smtpauth.cf.ac.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1S0Ahj-0004F8-N3; Wed, 22 Feb 2012 11:49:51 +0000 Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_6E8CCB79-A3DA-4A64-B170-8CD6C15531FB" From: Rhys Smith In-Reply-To: Date: Wed, 22 Feb 2012 11:49:46 +0000 Message-Id: <0375B6F5-EC9C-4DB3-9F6E-8B99F75A5B72@cardiff.ac.uk> References: To: wei.yinxing@zte.com.cn X-Mailer: Apple Mail (2.1257) Sender: smith@Cardiff.ac.uk X-Virus-Scanned: Cardiff University Virus Scanner X-Virus-Scanned: Cardiff University Virus Scanner Cc: abfab@ietf.org Subject: Re: [abfab] New Version Notification for draft-ietf-abfab-usecases-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 11:50:03 -0000 --Apple-Mail=_6E8CCB79-A3DA-4A64-B170-8CD6C15531FB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=GB2312 Hi Yinxing, Not sure about that - since the document is a use case document it = actually really has many authors - all those who provided substantive = text for the document, such as yourself. If all of those who have = provided this input were listed as Authors, we'd currently have 13 = authors - and the guidelines that I've seen are you really should not = have more than 5 authors without "very good reason". So the way I've done it in this document is that I'm listed as the = editor (as I'm pulling the document together), and the contributors are = listed in Sections 5 and 6 of the document. If anyone has any suggestions as to whether there's a better way than = they way I've done it, I'm happy to take advice... R. -- Dr Rhys Smith Identity, Access, and Middleware Specialist Cardiff University & Janet - the UK's education and research network email: smith@cardiff.ac.uk / rhys.smith@ja.net GPG: 0xDE2F024C On 22 Feb 2012, at 05:40, wei.yinxing@zte.com.cn wrote: >=20 > Hi, Rhys=20 >=20 > I am happy to receive this news. Would you please to add me as a = co-author for this draft in the next revision?=20 >=20 > I appreciate for your help. Thanks!=20 >=20 > ------------=20 > Yinxing Wei=20 >=20 >=20 >=20 >=20 > Rhys Smith =20 > =B7=A2=BC=FE=C8=CB: abfab-bounces@ietf.org > 2012/02/21 17:18 >=20 > =CA=D5=BC=FE=C8=CB > abfab@ietf.org > =B3=AD=CB=CD > =D6=F7=CC=E2 > [abfab] Fwd: New Version Notification for = draft-ietf-abfab-usecases-02.txt >=20 >=20 >=20 >=20 >=20 > Hi all, >=20 > I've just posted a new version of the use-case draft - see = http://tools.ietf.org/html/draft-ietf-abfab-usecases-02 >=20 > Only substantive difference since -01 is the inclusion of the = federated cross-layer use case that we discussed before christmas. = Apologies for not posting it sooner, life got in the way. >=20 > FYI I am intending on tidying up some of the holes and todos and to = submit an -03 ready for ietf83. >=20 > If anyone has any new use cases for ABFAB that should be included in = that, please let me know! >=20 > Best, > R. > -- > Dr Rhys Smith > Identity, Access, and Middleware Specialist > Cardiff University & Janet - the UK's education and research network >=20 > email: smith@cardiff.ac.uk / rhys.smith@ja.net > GPG: 0xDE2F024C >=20 >=20 >=20 >=20 >=20 > Begin forwarded message: >=20 > > From: internet-drafts@ietf.org > > Subject: New Version Notification for = draft-ietf-abfab-usecases-02.txt > > Date: 21 February 2012 09:14:37 GMT > > To: smith@cardiff.ac.uk > > Cc: smith@cardiff.ac.uk > >=20 > > A new version of I-D, draft-ietf-abfab-usecases-02.txt has been = successfully submitted by Rhys Smith and posted to the IETF repository. > >=20 > > Filename: draft-ietf-abfab-usecases > > Revision: 02 > > Title: Application Bridging for = Federated Access Beyond web (ABFAB) Use Cases > > Creation date: 2012-02-21 > > WG ID: abfab > > Number of pages: 12 > >=20 > > Abstract: > > Federated authentication has so far been typically associated with > > Web-based services, but there is growing interest in the = application > > of federated authentication for non-Web services. The goal of = this > > document is to document a selection of the wide variety of = contexts > > whose user experience could be improved through the use of > > technologies based on the ABFAB architecture and specifications. > >=20 > >=20 > >=20 > >=20 > > The IETF Secretariat >=20 > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab >=20 >=20 >=20 > -------------------------------------------------------- > ZTE Information Security Notice: The information contained in this = mail is solely property of the sender's organization. This mail = communication is confidential. Recipients named above are obligated to = maintain secrecy and are not permitted to disclose the contents of this = communication to others. > This email and any files transmitted with it are confidential and = intended solely for the use of the individual or entity to whom they are = addressed. If you have received this email in error please notify the = originator of the message. Any views expressed in this message are those = of the individual sender. > This message has been scanned for viruses and Spam by ZTE Anti-Spam = system. --Apple-Mail=_6E8CCB79-A3DA-4A64-B170-8CD6C15531FB Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=GB2312 Hi = Yinxing,

Not sure about that - since the document is = a use case document it actually really has many authors - all those who = provided substantive text for the document, such as yourself. If all of = those who have provided this input were listed as Authors, we'd = currently have 13 authors - and the guidelines that I've seen are you = really should not have more than 5 authors without "very good = reason".

So the way I've done it in this = document is that I'm listed as the editor (as I'm pulling the document = together), and the contributors are listed in Sections 5 and 6 of the = document.

If anyone has any suggestions as to = whether there's a better way than they way I've done it, I'm happy to = take advice...

R.
--
Dr Rhys Smith
Identity, Access, and = Middleware Specialist
Cardiff University & Janet - the UK's = education and research network
smith@cardiff.ac.uk / rhys.smith@ja.net
GPG: = 0xDE2F024C

On 22 Feb 2012, at 05:40, wei.yinxing@zte.com.cn = wrote:


Hi, Rhys

  I am happy to receive = this news. Would you please to add me as a co-author for this draft in the next = revision?

  I appreciate for your = help. Thanks!

------------
Yinxing Wei




Rhys Smith = <smith@cardiff.ac.uk>=
=B7=A2=BC=FE=C8=CB:  abfab-bounces@ietf.org2012/02/21 17:18

=CA=D5=BC=FE=C8=CB
abfab@ietf.org
=B3=AD=CB=CD
=D6=F7=CC=E2
[abfab] Fwd: New Version = Notification for       =  draft-ietf-abfab-usecases-02.txt





Hi all,

I've just posted a new version of the use-case draft - see http://to= ols.ietf.org/html/draft-ietf-abfab-usecases-02

Only substantive difference since -01 is the inclusion of the federated cross-layer use case that we discussed before christmas. Apologies for not posting it sooner, life got in the way.

FYI I am intending on tidying up some of the holes and todos and to = submit an -03 ready for ietf83.

If anyone has any new use cases for ABFAB that should be included in = that, please let me know!

Best,
R.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist
Cardiff University & Janet - the UK's education and research = network

email: smith@cardiff.ac.uk / = rhys.smith@ja.net
GPG: 0xDE2F024C





Begin forwarded message:

> From: internet-drafts@ietf.org
> Subject: New Version Notification for = draft-ietf-abfab-usecases-02.txt
> Date: 21 February 2012 09:14:37 GMT
> To: smith@cardiff.ac.uk
> Cc: smith@cardiff.ac.uk
>
> A new version of I-D, draft-ietf-abfab-usecases-02.txt has been = successfully submitted by Rhys Smith and posted to the IETF repository.
>
> Filename:                  draft-ietf-abfab-usecases
> Revision:                  02
> Title:                                   Application Bridging for Federated Access Beyond web (ABFAB) Use = Cases
> Creation date:                  2012-02-21
> WG ID:                                   abfab
> Number of pages: 12
>
> Abstract:
>   Federated authentication has so far been typically = associated with
>   Web-based services, but there is growing interest in the = application
>   of federated authentication for non-Web services.  The goal of this
>   document is to document a selection of the wide variety of contexts
>   whose user experience could be improved through the use = of
>   technologies based on the ABFAB architecture and = specifications.
>
>
>
>
> The IETF Secretariat

_______________________________________________
abfab mailing list
abfab@ietf.org
https://www.ietf.org/= mailman/listinfo/abfab

 

--------------------------------------------------------
=
ZTE Information Security Notice: The information&=
nbsp;contained in this mail is solely proper=
ty of the sender's organization. This mail&n=
bsp;communication is confidential. Recipients named&nb=
sp;above are obligated to maintain secrecy a=
nd are not permitted to disclose the co=
ntents of this communication to others.
=
This email and any files transmitted with&nb=
sp;it are confidential and intended solely f=
or the use of the individual or entity&=
nbsp;to whom they are addressed. If you =
;have received this email in error please&nb=
sp;notify the originator of the message. Any=
 views expressed in this message are th=
ose of the individual sender.
=
This message has been scanned for viruses&nb=
sp;and Spam by ZTE Anti-Spam system.

= --Apple-Mail=_6E8CCB79-A3DA-4A64-B170-8CD6C15531FB-- From leifj@mnt.se Thu Feb 23 23:38:07 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD35621E8023 for ; Thu, 23 Feb 2012 23:38:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NByHS7iZWgwy for ; Thu, 23 Feb 2012 23:38:07 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id D2DFE21E800C for ; Thu, 23 Feb 2012 23:38:06 -0800 (PST) Received: from [192.36.125.239] (dhcp.pilsnet.sunet.se [192.36.125.239] (may be forged)) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q1O7c0nV019782 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 24 Feb 2012 08:38:04 +0100 (CET) Message-ID: <4F473E57.6000104@mnt.se> Date: Fri, 24 Feb 2012 08:37:59 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "abfab@ietf.org" References: <20120223203504.10500.85766.idtracker@ietfa.amsl.com> In-Reply-To: <20120223203504.10500.85766.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.3.5 X-Forwarded-Message-Id: <20120223203504.10500.85766.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [abfab] Fwd: abfab - Requested session has been scheduled for IETF 83 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 07:38:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, Unless you've already noticed we are scheduled for Thursday morning this time. Cheers Leif - -------- Original Message -------- Subject: abfab - Requested session has been scheduled for IETF 83 Date: Thu, 23 Feb 2012 12:35:04 -0800 From: "IETF Secretariat" CC: abfab-ads@tools.ietf.org, abfab-chairs@tools.ietf.org, wlo@amsl.com Dear Klaas Wierenga, The sessions that you have requested have been scheduled. Below is the scheduled session information followed by the original request. abfab Session 1 (1.5 hours) Thursday, Morning Session I 0930-1130 Room Name: 243 --------------------------------------------- Request Information: - --------------------------------------------------------- Working Group Name: Application Bridging for Federated Access Beyond web Area Name: Security Area Session Requester: Wanda Lo Number of Sessions: 1 Length of Session(s): 1.5 hours Number of Attendees: 40 Conflicts to Avoid: First Priority: xmpp, radext, karp, oauth, dnsext, lisp, 6lowpan, httpbis, websec, dane, kitten, krb-wg, emu, nea, sidr, saag, eai, dime BOF or IRTF Session: in general any Security Area WG or BOFs Special Requests: we have been on the Friday 4 times in a row now, would be nice to be on another day for a change, but no big deal if not. - --------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9HPlcACgkQ8Jx8FtbMZnf09gCgw92Mwdsq/LidkoP+Ma78hYo2 XWsAoL75ixGmTYj+zWOqTjVWY0nsQCW7 =JQMW -----END PGP SIGNATURE----- From alex@um.es Wed Feb 29 02:54:30 2012 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D442F21F86B3; Wed, 29 Feb 2012 02:54:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.553 X-Spam-Level: X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQztIQEeeF6N; Wed, 29 Feb 2012 02:54:30 -0800 (PST) Received: from xenon14.um.es (xenon14.um.es [155.54.212.168]) by ietfa.amsl.com (Postfix) with ESMTP id 3C39321F8827; Wed, 29 Feb 2012 02:54:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by xenon14.um.es (Postfix) with ESMTP id E08FE5D4DC; Wed, 29 Feb 2012 11:54:28 +0100 (CET) X-Virus-Scanned: by antispam in UMU at xenon14.um.es Received: from xenon14.um.es ([127.0.0.1]) by localhost (xenon14.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JnaXnfYX5pbv; Wed, 29 Feb 2012 11:54:28 +0100 (CET) Received: from [155.54.205.90] (inf-205-90.inf.um.es [155.54.205.90]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon14.um.es (Postfix) with ESMTPSA id 9C3C85D53A; Wed, 29 Feb 2012 11:54:28 +0100 (CET) Message-ID: <4F4E03E3.8070006@um.es> Date: Wed, 29 Feb 2012 11:54:27 +0100 From: Alejandro Perez Mendez User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: "radext@ietf.org" , "abfab@ietf.org" References: <20120229104634.26066.95888.idtracker@ietfa.amsl.com> In-Reply-To: <20120229104634.26066.95888.idtracker@ietfa.amsl.com> X-Forwarded-Message-Id: <20120229104634.26066.95888.idtracker@ietfa.amsl.com> Content-Type: multipart/alternative; boundary="------------000101010201040303090306" Subject: [abfab] FYI: New Version Notification for draft-perez-radext-radius-fragmentation-01.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 10:54:30 -0000 This is a multi-part message in MIME format. --------------000101010201040303090306 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit -------- Original message -------- Asunto: New Version Notification for draft-perez-radext-radius-fragmentation-01.txt Fecha: Wed, 29 Feb 2012 02:46:34 -0800 De: internet-drafts@ietf.org A new version of I-D, draft-perez-radext-radius-fragmentation-01.txt has been successfully submitted by Alejandro Perez-Mendez and posted to the IETF repository. Filename: draft-perez-radext-radius-fragmentation Revision: 01 Title: Support of fragmentation of RADIUS packets Creation date: 2012-02-29 WG ID: Individual Submission Number of pages: 12 Abstract: This document describes a mechanism providing fragmentation support of RADIUS packets that exceed the 4 KB limit. The IETF Secretariat --------------000101010201040303090306 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
-------- Original message --------
Asunto: New Version Notification for draft-perez-radext-radius-fragmentation-01.txt
Fecha: Wed, 29 Feb 2012 02:46:34 -0800
De: internet-drafts@ietf.org 


A new version of I-D, draft-perez-radext-radius-fragmentation-01.txt has been successfully submitted by Alejandro Perez-Mendez and posted to the IETF repository.

Filename:	 draft-perez-radext-radius-fragmentation
Revision:	 01
Title:		 Support of fragmentation of RADIUS packets
Creation date:	 2012-02-29
WG ID:		 Individual Submission
Number of pages: 12

Abstract:
   This document describes a mechanism providing fragmentation support
   of RADIUS packets that exceed the 4 KB limit.

                                                                                  


The IETF Secretariat
--------------000101010201040303090306--