From turners@ieca.com Tue Feb 1 07:41:33 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FB7D3A6C0F for ; Tue, 1 Feb 2011 07:41:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.24 X-Spam-Level: X-Spam-Status: No, score=-102.24 tagged_above=-999 required=5 tests=[AWL=-0.242, BAYES_00=-2.599, J_CHICKENPOX_12=0.6, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZ3Opg6ojp7j for ; Tue, 1 Feb 2011 07:41:32 -0800 (PST) Received: from nm16.bullet.mail.ac4.yahoo.com (nm16.bullet.mail.ac4.yahoo.com [98.139.52.213]) by core3.amsl.com (Postfix) with SMTP id 3D4013A6B58 for ; Tue, 1 Feb 2011 07:41:32 -0800 (PST) Received: from [98.139.52.193] by nm16.bullet.mail.ac4.yahoo.com with NNFMP; 01 Feb 2011 15:44:46 -0000 Received: from [98.139.52.154] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 01 Feb 2011 15:44:46 -0000 Received: from [127.0.0.1] by omp1037.mail.ac4.yahoo.com with NNFMP; 01 Feb 2011 15:44:46 -0000 X-Yahoo-Newman-Id: 767022.29104.bm@omp1037.mail.ac4.yahoo.com Received: (qmail 78872 invoked from network); 1 Feb 2011 15:44:46 -0000 Received: from thunderfish.local (turners@96.241.4.28 with plain) by smtp114.biz.mail.re2.yahoo.com with SMTP; 01 Feb 2011 07:44:46 -0800 PST X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: raHozLUVM1mj6b0_rz0P0c98KNl04IF.kHU3FYFZk59udJB fVHlrn0Mld5QolMNo1Aho.wdUa8iWamCF6j0.9NCoIYgrjQQsmkG9KPJ3zuS PrgllkO0YXS1AUk7gxKa096KHjjZGp7wtvynKNQrHtT4.WXzZ3NvSgjYKlHn 2vNnkWkG0VTkbqoPluStB8JN1gFVk1aHy7xIfEkc5cfYnYlU1DiEeogGNgQp .p6m6.0e37pmo_sraCW5tdwThMDTZc7rn0hd36KN82lKVUas3IUB4eQTQhy7 qlFXXumfwaywy4sfW0P1hoVVG4xY2bwrUZQ-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D482A6D.30308@ieca.com> Date: Tue, 01 Feb 2011 10:44:45 -0500 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D3DF812.80108@sunet.se> <4D3EB2D3.8000604@cisco.com> <4D3ECF30.7050503@sunet.se> <4D3EDD5A.3050003@sunet.se> <4D3F290B.1070505@ieca.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [abfab] OIDs X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Feb 2011 15:41:33 -0000 No word back from IANA yet, but I've pinged them again. I'm hoping that we could get an OIDs here: http://www.iana.org/assignments/smi-numbers under this arc: Prefix: iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) Decimal Name Description References ------- ---- ------------------------------------ ---------- 0 Reserved [IANA] 1 SPKM Simple Public Key Mechanism [Adams] 2 SNEGO Simple GSS-API Negotiation [Pinkas] 3 PIM PEM-Based IDUP Mechanism [Adams] 4 MIM MSP-Based IDUP Mechanism [Adams] 5 p7im PKCS #7-Based IDUP Mechanism [Adams] 6 meim MOSS-Enabling IDUP Mechanism [Adams] 7 pkix Public Key Infrastructure [Housley] 8 ipsec IPsec Key Management [Thayer] 9 lipkey LIPKEY Mechanism Using SPKM [RFC2847] 10 iakerb IAKERB GSS-API Mechanism [Trostle] 11 ltans Long-Term Archive and Notary Services [Housley] 12 msec Multicast Security [RFC4534] 13 gsscma GSS_C_MA Mechanism Attributes [RFC5587] 14 scramsha1 SCRAM-SHA-1 [RFC5802] we'd try to get the next # (assuming 15) and then we can manage the arc under that. Sound like a plan? spt On 1/26/11 8:46 AM, Sam Hartman wrote: >>>>>> "Sean" == Sean Turner writes: > > Sean> Sam, > > Sean> The question is whether you think we should get a new OID > Sean> every time the syntax changes. I agree that assigning an OID > Sean> out of an "experimental" and then changing it to an > Sean> "operational" arc if the syntax didn't change is kind of a > Sean> waste of time. I have this vague notion of the syntax > Sean> changing a lot. If the WG doesn't think that's going to > Sean> happen then we probably don't have to go the experimental then > Sean> switch to operational route. > > I haven't answered this directly because syntax is a poorly defined > term here. > These OIDs do not describe objects encoded using ASN.1. > > If we were using ASN.1 I'd say that whenever we changed the syntax since > the last used version, we should change the OID. By last used version, I > mean any version that someone claimed to have implemented. If we > published draft 2 today and found a minor error and fixed it in draft 3 > tomorrow I would not typically require an OID change even if the syntax > changed. > > Here, I think we should change the OID if things change in a manner that > breaks compatibility. We have some extension points in the spec so many > of the things we might want to do would not involve an OID change. One > thing we've discussed (support for null GSS target names) probably > should involve an OID change because it changes the semantics (and > probably syntax) of the first message from client to server. > > I expect we'll have one OID change from the OID in Luke's privaty arc > we're having today (for the target name change above). Around that time > I expect there will be people using the code and past that point I think > we'd need to be fairly strict about OID changes. I don't see a need for > any spec changes that would require an OID change beyond that point, > which realistically means it will probably happen once or twice. (There > are always changes you don't anticipate.) > > --Sam > From Josh.Howlett@ja.net Thu Feb 3 05:32:07 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15E773A6922 for ; Thu, 3 Feb 2011 05:32:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.481 X-Spam-Level: X-Spam-Status: No, score=-102.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CFJmYTErtkv for ; Thu, 3 Feb 2011 05:32:06 -0800 (PST) Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by core3.amsl.com (Postfix) with ESMTP id 224363A6919 for ; Thu, 3 Feb 2011 05:32:06 -0800 (PST) Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 4E7981A9D5E6_D4AAF1FB for ; Thu, 3 Feb 2011 13:35:27 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 4408D1A9D5CE_D4AAF1FF for ; Thu, 3 Feb 2011 13:35:27 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0218.012; Thu, 3 Feb 2011 13:35:48 +0000 From: Josh Howlett To: "abfab@ietf.org" Thread-Topic: FYI: Project Moonshot meeting, 24-25 March, Prague Thread-Index: Acuybc97e9f77F4IQ5qWjw4ryf0sqgROQ1ew Date: Thu, 3 Feb 2011 13:35:47 +0000 Message-ID: <55DC663C2F4F9F439F23543E0078E8B30A1C4A@EXC001> References: <55DC663C2F4F9F439F23543E0078E8B30579C0@EXC001> In-Reply-To: <55DC663C2F4F9F439F23543E0078E8B30579C0@EXC001> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.1.5.219] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Josh Howlett Subject: Re: [abfab] FYI: Project Moonshot meeting, 24-25 March, Prague X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2011 13:32:07 -0000 FYI this meeting is now confirmed in Prague from 24-25 March, immediately p= receding IETF 80. This is an open meeting, but please let me know if you pl= an to attend. More details to follow. Josh. > -----Original Message----- > From: Josh Howlett > Sent: Wednesday, January 12, 2011 3:32 PM > To: abfab@ietf.org > Cc: Josh Howlett > Subject: FYI: Project Moonshot meeting, 24-25 March, Prague >=20 > Project Moonshot, which is building an Abfab implementation, is > planning to have its second meeting on 24-25 March in Prague, > immediately preceding IETF 80. We will be discussing our implementation > on Thursday, and testing it on Friday. >=20 > There will not be any Abfab standardisation-related discussion, > although we will bring any issues that arise during our discussions to > the Abfab WG meeting where they are relevant. >=20 > This is an open meeting. However, space is limited and so please let me > know if you would like to attend. >=20 > Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From trevorf@exchange.microsoft.com Thu Feb 3 14:53:02 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA60B3A6A17 for ; Thu, 3 Feb 2011 14:53:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.599 X-Spam-Level: X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f24rzp9bW11b for ; Thu, 3 Feb 2011 14:53:02 -0800 (PST) Received: from mail.exchange.microsoft.com (mail7.exchange.microsoft.com [131.107.1.27]) by core3.amsl.com (Postfix) with ESMTP id 0112C3A6AC3 for ; Thu, 3 Feb 2011 14:53:01 -0800 (PST) Received: from df-h14-02.exchange.corp.microsoft.com (157.54.78.140) by DF-G14-02.exchange.corp.microsoft.com (157.54.87.56) with Microsoft SMTP Server (TLS) id 14.1.218.15; Thu, 3 Feb 2011 14:56:25 -0800 Received: from df-mlt-02.exchange.corp.microsoft.com (157.54.94.20) by DF-H14-02.exchange.corp.microsoft.com (157.54.78.140) with Microsoft SMTP Server (TLS) id 14.1.270.2; Thu, 3 Feb 2011 14:56:25 -0800 Received: from DF-M14-12.exchange.corp.microsoft.com ([fe80::7c94:4036:120:c95f]) by DF-MLT-02.exchange.corp.microsoft.com ([157.54.94.20]) with mapi id 14.01.0218.012; Thu, 3 Feb 2011 14:56:24 -0800 From: Trevor Freeman To: "abfab@ietf.org" Thread-Topic: New Non-WG Mailing List: plasma -- The PoLicy Augmented S/Mime (plasma) bof discussion list Thread-Index: AQHLw9yivq43kBjCWECyGh2rxiIIN5PwYj2g Date: Thu, 3 Feb 2011 22:56:23 +0000 Message-ID: References: <20110203195424.DEC1A3A6ACC@core3.amsl.com> In-Reply-To: <20110203195424.DEC1A3A6ACC@core3.amsl.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.100] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Feb 2011 00:52:10 -0800 Cc: "jimsch@nwlink.com" , Trevor Freeman Subject: [abfab] FW: New Non-WG Mailing List: plasma -- The PoLicy Augmented S/Mime (plasma) bof discussion list X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2011 22:53:02 -0000 UExBU01BIC0gUG9saWN5IEF1Z21lbnRlZCBTL01pbWUgDQoNCkRlc2NyaXB0aW9uOiBDdXJyZW50 IFMvTUlNRSBtZWNoYW5pc21zIHByb3ZpZGUgY3J5cHRvZ3JhcGhpYyBhY2Nlc3MgdG8gdGhlIG1l c3NhZ2UgYmFzZWQgb24gdGhlIGlkZW50aXR5IG9mIHRoZSByZWNpcGllbnQgYXQgdGhlIHRpbWUg b2YgdHJhbnNtaXNzaW9uLiBBbnkgYWRkaXRpb25hbCBhY2Nlc3MgY29udHJvbCBlbmZvcmNlbWVu dCBkZXBlbmRzIG9uIHRoZSBjb25maWd1cmF0aW9uIG9mIHRoZSByZWNpcGllbnRzIGVtYWlsIGNs aWVudC4gU2V2ZXJhbCBJbnRlcm5ldC1EcmFmdHMgaGF2ZSBiZWVuIHN1Ym1pdHRlZCB0aGF0IGVz dGFibGlzaCBhIG1vcmUgcm9idXN0IGFjY2VzcyBjb250cm9sIG1lY2hhbmlzbSB3aGVyZSBjcnlw dG9ncmFwaGljIGFjY2VzcyB0byB0aGUgbWVzc2FnZSBpcyBvbmx5IGdyYW50ZWQgYWZ0ZXIgdGhl IGFjY2VzcyBjaGVjay4NCg0KVGhpcyBwcm9wb3NlZCB3b3JraW5nIGdyb3VwIHdvdWxkIGRldmVs b3AgYSBmcmFtZXdvcmsgZm9yIGVuZm9yY2luZyBhIG1vcmUgcm9idXN0IGFjY2VzcyBjb250cm9s IG1lY2hhbmlzbSwgYmFzZWQgb24gZXhpc3RpbmcgQ01TLCBTL01JTUUgYW5kIFNBTUwtYmFzZWQg cG9saWN5IGVuZm9yY2VtZW50IHN0YW5kYXJkcy4gVGhlIHdvcmtpbmcgZ3JvdXAgd2lsbCBhbHNv IGRldmVsb3AgYW55IG5lY2Vzc2FyeSBleHRlbnNpb25zIHRvIHRoZXNlIGJhc2UgcHJvdG9jb2xz IHNwZWNpZmljIHRvIHRoaXMgcHJvYmxlbSBzcGFjZS4gDQoNCkdpdmVuIHRoZSBtdXR1YWwgaW50 ZXJlc3QgaW4gU0FNTCAtIHRoaXMgd29yayBtYXkgYmUgb2YgaW50ZXJlc3QgdG8gc29tZSBvZiB5 b3UuIA0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogSUVURiBTZWNyZXRhcmlh dCBbbWFpbHRvOmlldGYtc2VjcmV0YXJpYXRAaWV0Zi5vcmddIA0KU2VudDogVGh1cnNkYXksIEZl YnJ1YXJ5IDAzLCAyMDExIDExOjU0IEFNDQpUbzogSUVURiBBbm5vdW5jZW1lbnQgbGlzdA0KQ2M6 IHBsYXNtYUBpZXRmLm9yZzsgamltc2NoQG53bGluay5jb207IFRyZXZvciBGcmVlbWFuDQpTdWJq ZWN0OiBOZXcgTm9uLVdHIE1haWxpbmcgTGlzdDogcGxhc21hIC0tIFRoZSBQb0xpY3kgQXVnbWVu dGVkIFMvTWltZSAocGxhc21hKSBib2YgZGlzY3Vzc2lvbiBsaXN0IA0KDQpBIG5ldyBJRVRGIG5v bi13b3JraW5nIGdyb3VwIGVtYWlsIGxpc3QgaGFzIGJlZW4gY3JlYXRlZC4NCg0KTGlzdCBhZGRy ZXNzOiBwbGFzbWFAaWV0Zi5vcmcNCkFyY2hpdmU6IGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1h cmNoaXZlL3dlYi9wbGFzbWEvDQpUbyBzdWJzY3JpYmU6IGh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vcGxhc21hDQoNCkRlc2NyaXB0aW9uOiANCkN1cnJlbnQgUy9NSU1FIG1l Y2hhbmlzbXMgcHJvdmlkZSBjcnlwdG9ncmFwaGljIGFjY2VzcyB0byB0aGUgbWVzc2FnZSBiYXNl ZCBvbiB0aGUgaWRlbnRpdHkgb2YgdGhlIHJlY2lwaWVudCBhdCB0aGUgdGltZSBvZiB0cmFuc21p c3Npb24uIEFueSBhZGRpdGlvbmFsIGFjY2VzcyBjb250cm9sIGVuZm9yY2VtZW50IGRlcGVuZHMg b24gdGhlIGNvbmZpZ3VyYXRpb24gb2YgdGhlIHJlY2lwaWVudHMgZW1haWwgY2xpZW50LiBTZXZl cmFsIEludGVybmV0LURyYWZ0cyBoYXZlIGJlZW4gc3VibWl0dGVkIHRoYXQgZXN0YWJsaXNoIGEg bW9yZSByb2J1c3QgYWNjZXNzIGNvbnRyb2wgbWVjaGFuaXNtIHdoZXJlIGNyeXB0b2dyYXBoaWMg YWNjZXNzIHRvIHRoZSBtZXNzYWdlIGlzIG9ubHkgZ3JhbnRlZCBhZnRlciB0aGUgYWNjZXNzIGNo ZWNrLiBUaGlzIGxpc3QgaXMgZGV2b3RlZCB0byB0aGUgZGlzY3Vzc2lvbiBvZiB0aGVzZSBkcmFm dHMgYW5kIGFueSByZWxhdGVkIGZ1dHVyZSBzdWJtaXNzaW9ucy4gDQoNCkZvciBhZGRpdGlvbmFs IGluZm9ybWF0aW9uLCBwbGVhc2UgY29udGFjdCB0aGUgbGlzdCBhZG1pbmlzdHJhdG9ycy4NCg== From ietf@augustcellars.com Fri Feb 4 14:36:56 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 045F63A69D4; Fri, 4 Feb 2011 14:36:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.399 X-Spam-Level: X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8Htq1IwplPu; Fri, 4 Feb 2011 14:36:55 -0800 (PST) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by core3.amsl.com (Postfix) with ESMTP id EE8003A6998; Fri, 4 Feb 2011 14:36:54 -0800 (PST) Received: from TITUS (static-66-14-119-7.bdsl.verizon.net [66.14.119.7]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTP id 57EE76EFB8; Fri, 4 Feb 2011 14:40:20 -0800 (PST) From: "Jim Schaad" To: , References: <20110203195424.DEC1A3A6ACC@core3.amsl.com> In-Reply-To: Date: Fri, 4 Feb 2011 15:00:18 -0800 Message-ID: <005701cbc4bf$4ba0fb30$e2e2f190$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFp21AcUcEMBZHlO9sjhNrVDy5kBgEZvIDHlKz2J5A= Content-Language: en-us Subject: Re: [abfab] FW: New Non-WG Mailing List: plasma -- The PoLicy Augmented S/Mime (plasma) bof discussion list X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2011 22:36:56 -0000 I would like to add a few additional things to this as well. We are currently looking at a proposal that is based on WS-Trust (SOAP based token system) for communications between the mail client and the mail policy server and, while using SAML, are placing how the SAML assertion(s) are obtained is out of scope. However I think that a good alternative to this might be to look at using the ABFAB architecture. We would then have the mail client talking some protocol to the mail policy server which would be using the ABFAB architecture to talk AAA to the correct identity service. In some cases the identity service and the mail policy server would be co-located, but this would be invisible to the mail client. Doing this would simplify things as the correct SAML assertion would be obtained by the policy server and it can ask for the type of details that it wants without the client having to try and guess what is required. On the other hand it might complicate issues as we are looking at the ability for the mail policy service to issue "short-term" tokens to the mail client after having gone through a full policy check that stands in for abilities. Thus not all of the ABFAB EAP would be used all of the time. If you have an interest in talking about this, it would be better to join the PLASMA mailing list and respond there. Jim > -----Original Message----- > From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf Of > Trevor Freeman > Sent: Thursday, February 03, 2011 2:56 PM > To: abfab@ietf.org > Cc: jimsch@nwlink.com; Trevor Freeman > Subject: [abfab] FW: New Non-WG Mailing List: plasma -- The PoLicy > Augmented S/Mime (plasma) bof discussion list > > PLASMA - Policy Augmented S/Mime > > Description: Current S/MIME mechanisms provide cryptographic access to the > message based on the identity of the recipient at the time of transmission. Any > additional access control enforcement depends on the configuration of the > recipients email client. Several Internet-Drafts have been submitted that > establish a more robust access control mechanism where cryptographic access > to the message is only granted after the access check. > > This proposed working group would develop a framework for enforcing a more > robust access control mechanism, based on existing CMS, S/MIME and SAML- > based policy enforcement standards. The working group will also develop any > necessary extensions to these base protocols specific to this problem space. > > Given the mutual interest in SAML - this work may be of interest to some of > you. > > -----Original Message----- > From: IETF Secretariat [mailto:ietf-secretariat@ietf.org] > Sent: Thursday, February 03, 2011 11:54 AM > To: IETF Announcement list > Cc: plasma@ietf.org; jimsch@nwlink.com; Trevor Freeman > Subject: New Non-WG Mailing List: plasma -- The PoLicy Augmented S/Mime > (plasma) bof discussion list > > A new IETF non-working group email list has been created. > > List address: plasma@ietf.org > Archive: http://www.ietf.org/mail-archive/web/plasma/ > To subscribe: https://www.ietf.org/mailman/listinfo/plasma > > Description: > Current S/MIME mechanisms provide cryptographic access to the message > based on the identity of the recipient at the time of transmission. Any > additional access control enforcement depends on the configuration of the > recipients email client. Several Internet-Drafts have been submitted that > establish a more robust access control mechanism where cryptographic access > to the message is only granted after the access check. This list is devoted to the > discussion of these drafts and any related future submissions. > > For additional information, please contact the list administrators. > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From leifj@mnt.se Sat Feb 5 07:04:40 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 253E73A68FA for ; Sat, 5 Feb 2011 07:04:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBfEHpzYsvfw for ; Sat, 5 Feb 2011 07:04:39 -0800 (PST) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 261543A6956 for ; Sat, 5 Feb 2011 07:04:38 -0800 (PST) Received: by fxm9 with SMTP id 9so3633698fxm.31 for ; Sat, 05 Feb 2011 07:08:06 -0800 (PST) Received: by 10.223.101.195 with SMTP id d3mr7761510fao.21.1296918486134; Sat, 05 Feb 2011 07:08:06 -0800 (PST) Received: from [10.0.0.36] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) by mx.google.com with ESMTPS id c11sm606281fav.2.2011.02.05.07.08.04 (version=SSLv3 cipher=RC4-MD5); Sat, 05 Feb 2011 07:08:05 -0800 (PST) Message-ID: <4D4D67D3.8090101@mnt.se> Date: Sat, 05 Feb 2011 16:08:03 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Feb 2011 15:04:40 -0000 After a few rountrips with IANA and thanks to our AD we have the following proposal for the WG on how to handle OIDs: We'll ask for (and very likely receive) an ARC from IANA. Sean will be the source of the ARC. The WG will maintain the registry for the ARC in the form of an I-D that we'll maintain as we go along and as implementation experience shows the need for updates and allocation of new OIDs. As the core documents are finalized we'll turn the whole registry over to IANA or publish it as an RFC or fold it into the appropriate documents. How does that sound? Cheers Leif From leifj@mnt.se Wed Feb 9 04:03:52 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94FC73A6977; Wed, 9 Feb 2011 04:03:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3nc4mjHZd8T; Wed, 9 Feb 2011 04:03:51 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 3A9353A696A; Wed, 9 Feb 2011 04:03:50 -0800 (PST) Received: from [192.36.125.230] (dhcp.pilsnet.sunet.se [192.36.125.230]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p19C3tog003919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Feb 2011 13:03:58 +0100 (CET) Message-ID: <4D5282AB.9010109@mnt.se> Date: Wed, 09 Feb 2011 13:03:55 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: "abfab@ietf.org" , "kitten@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [abfab] Fwd: New Version Notification for draft-ietf-kitten-gssapi-naming-exts-09 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 12:03:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: New Version Notification for draft-ietf-kitten-gssapi-naming-exts-09 Date: Wed, 9 Feb 2011 04:02:34 -0800 (PST) From: IETF I-D Submission Tool To: leifj@sunet.se CC: Nicolas.Williams@sun.com A new version of I-D, draft-ietf-kitten-gssapi-naming-exts-09.txt has been successfully submitted by Leif Johansson and posted to the IETF repository. Filename: draft-ietf-kitten-gssapi-naming-exts Revision: 09 Title: GSS-API Naming Extensions Creation_date: 2011-02-06 WG ID: kitten Number_of_pages: 16 Abstract: The Generic Security Services API (GSS-API) provides a simple naming architecture that supports name-based authorization. This document introduces new APIs that extend the GSS-API naming model to support name attribute transfer between GSS-API peers. The IETF Secretariat. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1SgqsACgkQ8Jx8FtbMZncEWwCeOHWJ+064i64sqchql3M26G0Y DsQAoLQyx5efNICp/Ui9WoY5tsFIZi8Y =7zwv -----END PGP SIGNATURE----- From ietf@augustcellars.com Wed Feb 9 15:53:57 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 89E223A672E for ; Wed, 9 Feb 2011 15:53:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7IahZ+WxW9p for ; Wed, 9 Feb 2011 15:53:56 -0800 (PST) Received: from new-smtp02.pacifier.net (new-smtp02.pacifier.net [64.255.237.176]) by core3.amsl.com (Postfix) with ESMTP id B575A3A65A6 for ; Wed, 9 Feb 2011 15:53:56 -0800 (PST) Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by new-smtp02.pacifier.net (Postfix) with ESMTPSA id 8BF422C9EB for ; Wed, 9 Feb 2011 15:54:07 -0800 (PST) From: "Jim Schaad" To: Date: Wed, 9 Feb 2011 16:14:36 -0800 Message-ID: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AcvItcBuvPcfvav9TgWuz8M9cY+C2A== Content-Language: en-us Subject: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 23:53:57 -0000 I have been looking at what would be required to using the PLASMA concepts with ABFAB and I came up with the following issue which I think might need to be addressed, despite the fact that the general issue is going to be considered to be out of scope. Consider the following scenario: Client talks to the service provider (for me the key service) using SOAP messages wrapped in GSS-API The service provider says - I never heard of you but you say this ID service will vouch for you. Setup the EAP connection. Client talks to the ID service using EAP wrapped in GSS-API Service provider says I need some additional information and you need to talk to ID service 2 Setup the EAP connection Client talks to ID service #2 using EAP wrapped in GSS-API .... and so forth.... While we don't want to address the problems associated with the question of dealing with the second EAP session, I think that we do need to have a discussion on the naming convention that needs to occur for the attributes of EAP session. How would we distinguish between the same attribute for each of the two different EAP sessions. Remember that they may have different attributes as the EAP methods could be separate. Also I wonder if we need to consider that the two different EAP sessions could be authenticating to the same ID service, but named differently. Jim From Josh.Howlett@ja.net Thu Feb 10 01:23:20 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8144F3A6937 for ; Thu, 10 Feb 2011 01:23:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JU1eUwcPAXW7 for ; Thu, 10 Feb 2011 01:23:19 -0800 (PST) Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by core3.amsl.com (Postfix) with ESMTP id A861D3A6923 for ; Thu, 10 Feb 2011 01:23:19 -0800 (PST) Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 633981A9A2FB_D53AE92B; Thu, 10 Feb 2011 09:23:30 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 53DB91A9A2F9_D53AE92F; Thu, 10 Feb 2011 09:23:30 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0218.012; Thu, 10 Feb 2011 09:23:51 +0000 From: Josh Howlett To: Jim Schaad , "abfab@ietf.org" Thread-Topic: [abfab] Session Naming on GSS-API Thread-Index: AcvItcBuvPcfvav9TgWuz8M9cY+C2AATc/pQ Date: Thu, 10 Feb 2011 09:23:51 +0000 Message-ID: <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> In-Reply-To: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Josh Howlett Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 09:23:20 -0000 > While we don't want to address the problems associated with the > question of > dealing with the second EAP session, I think that we do need to have a > discussion on the naming convention that needs to occur for the > attributes > of EAP session. How would we distinguish between the same attribute > for > each of the two different EAP sessions. Remember that they may have > different attributes as the EAP methods could be separate. Also I > wonder if > we need to consider that the two different EAP sessions could be > authenticating to the same ID service, but named differently. There is some discussion of this issue in section 5 of gssapi-naming-exts. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From lear@cisco.com Thu Feb 10 01:30:29 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66A763A6A0B for ; Thu, 10 Feb 2011 01:30:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.299 X-Spam-Level: X-Spam-Status: No, score=-110.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rm9Y4q+yiAyg for ; Thu, 10 Feb 2011 01:30:23 -0800 (PST) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by core3.amsl.com (Postfix) with ESMTP id 2EDC53A69FB for ; Thu, 10 Feb 2011 01:30:16 -0800 (PST) Authentication-Results: ams-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkMEAF4/U02Q/khLgWdsb2JhbACEHaFOFQEBFiIknyOKb5BDgSeDP3YEi3k X-IronPort-AV: E=Sophos;i="4.60,451,1291593600"; d="scan'208";a="18844844" Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-2.cisco.com with ESMTP; 10 Feb 2011 09:30:23 +0000 Received: from ams3-vpn-dhcp4404.cisco.com (ams3-vpn-dhcp4404.cisco.com [10.61.81.51]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p1A9UMkB023176; Thu, 10 Feb 2011 09:30:23 GMT Message-ID: <4D53B01B.7010904@cisco.com> Date: Thu, 10 Feb 2011 10:30:03 +0100 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Leif Johansson References: <4D4D67D3.8090101@mnt.se> In-Reply-To: <4D4D67D3.8090101@mnt.se> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: abfab@ietf.org Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 09:30:29 -0000 This sounds fine. On 2/5/11 4:08 PM, Leif Johansson wrote: > > After a few rountrips with IANA and thanks to our AD we have the > following proposal for the WG on how to handle OIDs: > > We'll ask for (and very likely receive) an ARC from IANA. Sean will be > the source of the ARC. The WG will maintain the registry for the ARC > in the form of an I-D that we'll maintain as we go along and as > implementation experience shows the need for updates and allocation of > new OIDs. As the core documents are finalized we'll turn the whole > registry over to IANA or publish it as an RFC or fold it into the > appropriate documents. > > How does that sound? > > Cheers Leif > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab > From leifj@sunet.se Thu Feb 10 02:19:30 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA38D3A6941 for ; Thu, 10 Feb 2011 02:19:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8mzMck8OnxE for ; Thu, 10 Feb 2011 02:19:28 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 801513A6847 for ; Thu, 10 Feb 2011 02:19:28 -0800 (PST) Received: from [192.36.125.230] (dhcp.pilsnet.sunet.se [192.36.125.230]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1AAJaIo023107 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Feb 2011 11:19:39 +0100 (CET) Message-ID: <4D53BBB8.7060901@sunet.se> Date: Thu, 10 Feb 2011 11:19:36 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D4D67D3.8090101@mnt.se> <4D53B01B.7010904@cisco.com> In-Reply-To: <4D53B01B.7010904@cisco.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 10:19:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > This sounds fine. > Any other voices of dissent or approval? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Tu7gACgkQ8Jx8FtbMZneqZACfa/Yo2f29/HC81pUaYnCk+GW8 mnUAn3ff15s4CpAGf64iVV+3crJ4Q0Uj =GWJb -----END PGP SIGNATURE----- From hartmans@painless-security.com Thu Feb 10 04:27:10 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3ED763A6980 for ; Thu, 10 Feb 2011 04:27:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn5ZI+6bq6a5 for ; Thu, 10 Feb 2011 04:27:09 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 8C49C3A694F for ; Thu, 10 Feb 2011 04:27:09 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 6E28020167; Thu, 10 Feb 2011 07:25:11 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 340DE4307; Thu, 10 Feb 2011 07:27:14 -0500 (EST) From: Sam Hartman To: Josh Howlett References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> Date: Thu, 10 Feb 2011 07:27:14 -0500 In-Reply-To: <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> (Josh Howlett's message of "Thu, 10 Feb 2011 09:23:51 +0000") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 12:27:10 -0000 Why wouldn't these two separate EAP sessions belong to separate gssapi context and thus separate initiator names? Also, Nico had been considering proposing adding a mechanism to add an issuer to a name attribute which may help here. From hartmans@painless-security.com Thu Feb 10 05:47:12 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 846383A69C7 for ; Thu, 10 Feb 2011 05:47:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9CmEkLx9DeE for ; Thu, 10 Feb 2011 05:47:11 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id D30513A6997 for ; Thu, 10 Feb 2011 05:47:11 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 25DF120246; Thu, 10 Feb 2011 08:45:14 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 069424307; Thu, 10 Feb 2011 08:47:17 -0500 (EST) From: Sam Hartman To: Leif Johansson References: <4D4D67D3.8090101@mnt.se> <4D53B01B.7010904@cisco.com> <4D53BBB8.7060901@sunet.se> Date: Thu, 10 Feb 2011 08:47:16 -0500 In-Reply-To: <4D53BBB8.7060901@sunet.se> (Leif Johansson's message of "Thu, 10 Feb 2011 11:19:36 +0100") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: abfab@ietf.org Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 13:47:12 -0000 I think I'd said this sounded fine before the plan was finalized. From cantor.2@osu.edu Thu Feb 10 07:17:39 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 018B53A691E for ; Thu, 10 Feb 2011 07:17:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeP1SY1s3qoF for ; Thu, 10 Feb 2011 07:17:38 -0800 (PST) Received: from defang12.it.ohio-state.edu (defang12.it.ohio-state.edu [128.146.216.21]) by core3.amsl.com (Postfix) with ESMTP id BD3E03A67AC for ; Thu, 10 Feb 2011 07:17:35 -0800 (PST) Received: from CIO-KRC-HT01.osuad.osu.edu ([164.107.81.38]) by defang12.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id p1AFHZIl006948; Thu, 10 Feb 2011 10:17:39 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT01.osuad.osu.edu ([2002:a46b:5126::a46b:5126]) with mapi; Thu, 10 Feb 2011 10:14:39 -0500 From: "Cantor, Scott E." To: Sam Hartman , Josh Howlett Thread-Topic: [abfab] Session Naming on GSS-API Thread-Index: AcvItcBuvPcfvav9TgWuz8M9cY+C2AATc/pQABEMWAAABIxe8A== Date: Thu, 10 Feb 2011 15:17:31 +0000 Message-ID: <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.38; country=US; region=OH; city=Wooster; postalcode=44691; latitude=40.8077; longitude=-81.9730; metrocode=510; areacode=330; http://maps.google.com/maps?q=40.8077,-81.9730&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.21 Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:17:39 -0000 > Also, Nico had been considering proposing adding a mechanism to add an > issuer to a name attribute which may help here. I'm strongly in favor of that, though obviously if you change the draft API= s, any number of improvements become possible. -- Scott From hartmans@painless-security.com Thu Feb 10 07:54:40 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 489523A6886 for ; Thu, 10 Feb 2011 07:54:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwRRj1x+N2iG for ; Thu, 10 Feb 2011 07:54:39 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 985643A67B1 for ; Thu, 10 Feb 2011 07:54:39 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 0F8432022C; Thu, 10 Feb 2011 10:52:42 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 2C6AC4307; Thu, 10 Feb 2011 10:54:43 -0500 (EST) From: Sam Hartman To: "Cantor\, Scott E." References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> Date: Thu, 10 Feb 2011 10:54:43 -0500 In-Reply-To: <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> (Scott E. Cantor's message of "Thu, 10 Feb 2011 15:17:31 +0000") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Josh Howlett , Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:54:40 -0000 >>>>> "Cantor," == Cantor, Scott E writes: >> Also, Nico had been considering proposing adding a mechanism to >> add an issuer to a name attribute which may help here. Cantor,> I'm strongly in favor of that, though obviously if you Cantor,> change the draft APIs, any number of improvements become Cantor,> possible. I think the plan was to add a new API as the existing APIs have shipped. So, get_name_attribute_issuer. The problem there is how to handle multi-valued name attributes with different issuers. From turners@ieca.com Thu Feb 10 07:58:13 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B50693A67B1 for ; Thu, 10 Feb 2011 07:58:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.398 X-Spam-Level: X-Spam-Status: No, score=-102.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVhIr7IkFZze for ; Thu, 10 Feb 2011 07:58:12 -0800 (PST) Received: from nm21.bullet.mail.sp2.yahoo.com (nm21.bullet.mail.sp2.yahoo.com [98.139.91.91]) by core3.amsl.com (Postfix) with SMTP id CB1763A6778 for ; Thu, 10 Feb 2011 07:58:12 -0800 (PST) Received: from [98.139.91.62] by nm21.bullet.mail.sp2.yahoo.com with NNFMP; 10 Feb 2011 15:58:25 -0000 Received: from [98.139.91.26] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 10 Feb 2011 15:58:25 -0000 Received: from [127.0.0.1] by omp1026.mail.sp2.yahoo.com with NNFMP; 10 Feb 2011 15:58:25 -0000 X-Yahoo-Newman-Id: 571457.5765.bm@omp1026.mail.sp2.yahoo.com Received: (qmail 77563 invoked from network); 10 Feb 2011 15:58:25 -0000 Received: from thunderfish.local (turners@96.231.115.153 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 10 Feb 2011 07:58:25 -0800 PST X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: 2f9mH_IVM1laxy9t8B0vghzbYE1lN31DFNTWn6hRhdWk4lr S08ta9Oo.UIZtsywsRUoiEgc_rlY5Vpj3MlNyMLbn6hgMSl..x32ivjAHaMR H79FN6SJHOY2pSD5nsGqB2C7Cah_VBjuBp1uhUACZEA0GanjegS1DuLOeprU H2eSe__1gIdvUQoYI9uPlUNYGvcQR0rdeG.dxx02eSLo8h9KeJV0s34dHab7 hdvf217hYh.v3hU2DNzunHn5z3FKOeauBviInU1Uop4x15vTY4pYbPQGIB2e UfmmHsaeKVC_Im7ysWQj.M21lXHDUg7ckpw-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D540B1F.4050200@ieca.com> Date: Thu, 10 Feb 2011 10:58:23 -0500 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Leif Johansson References: <4D4D67D3.8090101@mnt.se> In-Reply-To: <4D4D67D3.8090101@mnt.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: abfab@ietf.org Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:58:13 -0000 So the OID arc has been assigned: http://www.iana.org/assignments/smi-numbers Note the one change is that instead of me being the registrar it's the IESG. I didn't think that was a big deal. Happy OIDing. spt On 2/5/11 10:08 AM, Leif Johansson wrote: > > After a few rountrips with IANA and thanks to our AD we have the > following proposal for the WG on how to handle OIDs: > > We'll ask for (and very likely receive) an ARC from IANA. Sean will be > the source of the ARC. The WG will maintain the registry for the ARC in > the form of an I-D that we'll maintain as we go along and as > implementation experience shows the need for updates and allocation of > new OIDs. As the core documents are finalized we'll turn the whole > registry over to IANA or publish it as an RFC or fold it into the > appropriate documents. > > How does that sound? > > Cheers Leif > From cantor.2@osu.edu Thu Feb 10 07:59:53 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8382B3A67D7 for ; Thu, 10 Feb 2011 07:59:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NatfK1cPn6IX for ; Thu, 10 Feb 2011 07:59:52 -0800 (PST) Received: from defang16.it.ohio-state.edu (defang16.it.ohio-state.edu [128.146.216.130]) by core3.amsl.com (Postfix) with ESMTP id 820CC3A6778 for ; Thu, 10 Feb 2011 07:59:52 -0800 (PST) Received: from CIO-TNC-HT06.osuad.osu.edu ([164.107.81.172]) by defang16.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id p1AFvsep024278; Thu, 10 Feb 2011 11:00:01 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::8c6c:9f26:5aa2:4458%25]) with mapi; Thu, 10 Feb 2011 10:56:28 -0500 From: "Cantor, Scott E." To: Sam Hartman Thread-Topic: [abfab] Session Naming on GSS-API Thread-Index: AcvItcBuvPcfvav9TgWuz8M9cY+C2AATc/pQABEMWAAABIxe8AACsq2AAApi/lA= Date: Thu, 10 Feb 2011 15:59:21 +0000 Message-ID: <7EE86E89365CA94F8E7B8251F926071007B515@CIO-KRC-D1MBX01.osuad.osu.edu> References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.172; country=US; region=OH; city=Wooster; postalcode=44691; latitude=40.8077; longitude=-81.9730; metrocode=510; areacode=330; http://maps.google.com/maps?q=40.8077,-81.9730&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.130 Cc: Josh Howlett , Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:59:53 -0000 > I think the plan was to add a new API as the existing APIs have shipped. > So, get_name_attribute_issuer. > The problem there is how to handle multi-valued name attributes with > different issuers. I think I'd want to see a new type created to represent a handle to a speci= fic name attribute, and then the ability to get those handles, and pass the= m back into new APIs for getting values, metadata, etc. IOW, I don't think the current APIs are right to reference them by name onl= y, and I'd deprecate them in favor of getting it right. The old ones would = still work as is, just without the ability to make such distinctions. -- Scott From leifj@sunet.se Thu Feb 10 08:04:02 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F3343A6778 for ; Thu, 10 Feb 2011 08:04:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lczp3mD+rk4B for ; Thu, 10 Feb 2011 08:04:01 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id C97153A67B1 for ; Thu, 10 Feb 2011 08:04:00 -0800 (PST) Received: from [192.36.125.230] (dhcp.pilsnet.sunet.se [192.36.125.230]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1AG499X002749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Feb 2011 17:04:12 +0100 (CET) Message-ID: <4D540C79.3030307@sunet.se> Date: Thu, 10 Feb 2011 17:04:09 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D4D67D3.8090101@mnt.se> <4D540B1F.4050200@ieca.com> In-Reply-To: <4D540B1F.4050200@ieca.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 16:04:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/10/2011 04:58 PM, Sean Turner wrote: > So the OID arc has been assigned: > http://www.iana.org/assignments/smi-numbers > > Note the one change is that instead of me being the registrar it's the > IESG. I didn't think that was a big deal. > > Happy OIDing. > Thank you Sean! Ideally I'd like a volunteer for maintaining the registration I-D by Prague. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1UDHkACgkQ8Jx8FtbMZndFeACfbKHDiGlolJBuP51WaA5ELNL5 w58AoL9qi4zIUadz+7c15WNPR9ZeENYO =i3VU -----END PGP SIGNATURE----- From hartmans@painless-security.com Thu Feb 10 08:37:40 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EEF2B3A69C8 for ; Thu, 10 Feb 2011 08:37:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ko+D84pYuG4a for ; Thu, 10 Feb 2011 08:37:39 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 273103A67AF for ; Thu, 10 Feb 2011 08:37:39 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 77816200D5; Thu, 10 Feb 2011 11:35:41 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E44094307; Thu, 10 Feb 2011 11:37:43 -0500 (EST) From: Sam Hartman To: "Cantor\, Scott E." References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> <7EE86E89365CA94F8E7B8251F926071007B515@CIO-KRC-D1MBX01.osuad.osu.edu> Date: Thu, 10 Feb 2011 11:37:43 -0500 In-Reply-To: <7EE86E89365CA94F8E7B8251F926071007B515@CIO-KRC-D1MBX01.osuad.osu.edu> (Scott E. Cantor's message of "Thu, 10 Feb 2011 15:59:21 +0000") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Josh Howlett , Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 16:37:40 -0000 >>>>> "Cantor," == Cantor, Scott E writes: >> I think the plan was to add a new API as the existing APIs have >> shipped. So, get_name_attribute_issuer. The problem there is >> how to handle multi-valued name attributes with different >> issuers. Cantor,> I think I'd want to see a new type created to represent a Cantor,> handle to a specific name attribute, and then the ability Cantor,> to get those handles, and pass them back into new APIs for Cantor,> getting values, metadata, etc. Cantor,> IOW, I don't think the current APIs are right to reference Cantor,> them by name only, and I'd deprecate them in favor of Cantor,> getting it right. The old ones would still work as is, just Cantor,> without the ability to make such distinctions. I'm fine with this plan for the future. However if we're going to do that we should publish the existing naming exts document roughly as-is so people have something to work with while we futz. (I note we're kind of in the wrong WG for this discussion.) From cantor.2@osu.edu Thu Feb 10 08:59:04 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 631603A6A44 for ; Thu, 10 Feb 2011 08:59:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.099 X-Spam-Level: X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUcOgj0t5DX7 for ; Thu, 10 Feb 2011 08:59:03 -0800 (PST) Received: from defang8.it.ohio-state.edu (defang8.it.ohio-state.edu [128.146.216.89]) by core3.amsl.com (Postfix) with ESMTP id 970B63A67D9 for ; Thu, 10 Feb 2011 08:59:01 -0800 (PST) Received: from CIO-TNC-HT06.osuad.osu.edu ([164.107.81.172]) by defang8.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id p1AGxAtv025087; Thu, 10 Feb 2011 11:59:10 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::8c6c:9f26:5aa2:4458%25]) with mapi; Thu, 10 Feb 2011 11:56:16 -0500 From: "Cantor, Scott E." To: Sam Hartman Thread-Topic: [abfab] Session Naming on GSS-API Thread-Index: AcvItcBuvPcfvav9TgWuz8M9cY+C2AATc/pQABEMWAAABIxe8AACsq2AAApi/lD//7jrgP//siyA Date: Thu, 10 Feb 2011 16:59:09 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-ID: <95b63a79-146c-437e-98e2-dfac75cb248f> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.172; country=US; region=OH; city=Wooster; postalcode=44691; latitude=40.8077; longitude=-81.9730; metrocode=510; areacode=330; http://maps.google.com/maps?q=40.8077,-81.9730&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.89 Cc: Josh Howlett , Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 16:59:04 -0000 On 2/10/11 11:37 AM, "Sam Hartman" wrote: >I'm fine with this plan for the future. However if we're going to do >that we should publish the existing naming exts document roughly as-is >so people have something to work with while we futz. > >(I note we're kind of in the wrong WG for this discussion.) Yes, I was just seeing if there was general agreement about the fix. -- Scott From nico@cryptonector.com Thu Feb 10 09:01:19 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4354C3A6A50 for ; Thu, 10 Feb 2011 09:01:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.464 X-Spam-Level: X-Spam-Status: No, score=-0.464 tagged_above=-999 required=5 tests=[AWL=-0.447, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_BL_SPAMCOP_NET=1.96] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03l+RiNa8xBI for ; Thu, 10 Feb 2011 09:01:18 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by core3.amsl.com (Postfix) with ESMTP id 6855A3A6987 for ; Thu, 10 Feb 2011 09:01:18 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id 15F9C768064 for ; Thu, 10 Feb 2011 09:01:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=edcg1n0xI6587N5wMeAn+LpK9PG/wjn7VdoFQriVCmgp GZXaGzptrlcNhzdkG8YyQNsCWNZMt6dxFqljb0VxTLv7FQ0czGa4EQj6HaS6m6uk rW4p3eNQz+XFw0RIPHUCgvPUUHIfF5dv3AzL2PFD58tQxwcjLuoQMERYJ5Lb1Jo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=tYYdxTR315JFwS3SHEbAxzuqlx8=; b=dhe+0t2Nmg7 ZSvO5vz/5mlxo/8kuP6SBoa01D5kQNOl2XKqexLcgi80UoLBbqfus+svLd1VrelI vHsbUkSqgvj3Ls3jb6Vs1rfH94Cotv65XrEWux5h7jALr9svdywyK2EiJg2CwbFZ +kNe7NJAKjQq5jOQidDInm9NNCL3zNoY= Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPSA id DAED976805C for ; Thu, 10 Feb 2011 09:01:30 -0800 (PST) Received: by gxk27 with SMTP id 27so758422gxk.31 for ; Thu, 10 Feb 2011 09:01:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.90.82.16 with SMTP id f16mr3014660agb.67.1297357290241; Thu, 10 Feb 2011 09:01:30 -0800 (PST) Received: by 10.90.103.11 with HTTP; Thu, 10 Feb 2011 09:01:30 -0800 (PST) In-Reply-To: References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <7EE86E89365CA94F8E7B8251F926071007B4B2@CIO-KRC-D1MBX01.osuad.osu.edu> <7EE86E89365CA94F8E7B8251F926071007B515@CIO-KRC-D1MBX01.osuad.osu.edu> Date: Thu, 10 Feb 2011 11:01:30 -0600 Message-ID: From: Nico Williams To: Sam Hartman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Josh Howlett , Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 17:01:19 -0000 On Thu, Feb 10, 2011 at 10:37 AM, Sam Hartman wrote: > I'm fine with this plan for the future. =C2=A0However if we're going to d= o > that we should publish the existing naming exts document roughly as-is > so people have something to work with while we futz. > > (I note we're kind of in the wrong WG for this discussion.) There are API designs that do less violence to the existing one, so that's something to discuss at KITTEN WG, as you point out. For now it's good enough to know that we have to deal with this problem. Nico -- From smith@Cardiff.ac.uk Thu Feb 10 09:14:28 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BAD03A67B6 for ; Thu, 10 Feb 2011 09:14:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDHL4kdAadZH for ; Thu, 10 Feb 2011 09:14:27 -0800 (PST) Received: from smtpout2.cf.ac.uk (smtpout2.cf.ac.uk [131.251.137.139]) by core3.amsl.com (Postfix) with ESMTP id B75B13A67B4 for ; Thu, 10 Feb 2011 09:14:27 -0800 (PST) Received: from smtpauth.cf.ac.uk ([131.251.248.19]) by smtpout2.cf.ac.uk with esmtp (Exim 4.72) (envelope-from ) id 1Pna6J-0006rn-Bh for abfab@ietf.org; Thu, 10 Feb 2011 17:14:39 +0000 Received: from [10.224.0.45] (helo=dangermouse.insrv.cf.ac.uk) by smtpauth.cf.ac.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1Pna6J-0001iz-9P for abfab@ietf.org; Thu, 10 Feb 2011 17:14:39 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Apple Message framework v1082) From: Rhys Smith In-Reply-To: <4D10F279.3030601@cisco.com> Date: Thu, 10 Feb 2011 17:14:38 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <7C46E6CD-6B40-446C-8F70-8FB588D9CE7D@cardiff.ac.uk> References: <4D10F279.3030601@cisco.com> To: abfab@ietf.org X-Mailer: Apple Mail (2.1082) Sender: smith@Cardiff.ac.uk X-Virus-Scanned: Cardiff University Virus Scanner X-Virus-Scanned: Cardiff University Virus Scanner Subject: Re: [abfab] draft-lear-abfab-arch-01 posted X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 17:14:28 -0000 On 21 Dec 2010, at 18:31, Eliot Lear wrote: > Hi everyone, >=20 > We give to you the holiday present of reading ;-) The authors have = updated The ABFAB Architecture Draft. It contains a number of changes = since -00: > =95 A high level step by step description of the process. > =95 A "swimming lane" diagram visually demonstrating that = process. > =95 A discussion about channel binding and appropriate EAP = methods. > =95 A discussion about discovery. Think it's looking pretty good in general, and agree with general = comments made so far. One specific comment that I don't think anybody else has made yet - the = document variously refers to: * End Host * Client App * Application * Subject * Principal * Entity - sometimes meaning the same thing, sometimes different things. Where the document is using the very specific meaning of one term (e.g. = subject vs principal) that should probably be clarified somewhere = (terminology section?) and where it isn't using the term with that = specific meaning attached then the document should pick one and stick = with it for consistency. Best Regards, R. -- ---------------------------------------------------------------------- Dr Rhys Smith e: smith@cardiff.ac.uk Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C) Information Services, Cardiff University, t: +44 (0) 29 2087 0126 39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285 CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821 ---------------------------------------------------------------------- From ietf@augustcellars.com Thu Feb 10 16:26:01 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F1BD3A6B16 for ; Thu, 10 Feb 2011 16:26:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VNWM7JgoEGc for ; Thu, 10 Feb 2011 16:26:00 -0800 (PST) Received: from new-smtp01.pacifier.net (new-smtp01.pacifier.net [64.255.237.177]) by core3.amsl.com (Postfix) with ESMTP id A8E723A6813 for ; Thu, 10 Feb 2011 16:26:00 -0800 (PST) Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by new-smtp01.pacifier.net (Postfix) with ESMTPSA id 0A6072CA1D; Thu, 10 Feb 2011 16:26:13 -0800 (PST) From: "Jim Schaad" To: "'Sam Hartman'" , "'Josh Howlett'" References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> In-Reply-To: Date: Thu, 10 Feb 2011 16:45:51 -0800 Message-ID: <019001cbc985$08752780$195f7680$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLGOlZNSTn/VLmZ6qofpDrWQfkavAHnVW1EAc9s83eR6N68kA== Content-Language: en-us Cc: abfab@ietf.org Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 00:26:01 -0000 I apparently have a lack of understanding here. I had the assumption that I would be creating a single gss-api session to talk to the service provider and all conversations would be occurring in this single context. If they are different contexts then I think that architecture document needs to make this much clearer. Jim > -----Original Message----- > From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf Of > Sam Hartman > Sent: Thursday, February 10, 2011 4:27 AM > To: Josh Howlett > Cc: Jim Schaad; abfab@ietf.org > Subject: Re: [abfab] Session Naming on GSS-API > > Why wouldn't these two separate EAP sessions belong to separate gssapi > context and thus separate initiator names? > Also, Nico had been considering proposing adding a mechanism to add an > issuer to a name attribute which may help here. > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From lukeh@padl.com Thu Feb 10 16:56:27 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 970E63A6B28 for ; Thu, 10 Feb 2011 16:56:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQKPfyAMW2nM for ; Thu, 10 Feb 2011 16:56:26 -0800 (PST) Received: from us.padl.com (us.padl.com [216.154.215.154]) by core3.amsl.com (Postfix) with ESMTP id BE7B53A6AFC for ; Thu, 10 Feb 2011 16:56:25 -0800 (PST) Received: by us.padl.com with ESMTP id p1B0uPcl013901; Thu, 10 Feb 2011 19:56:28 -0500 Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Luke Howard In-Reply-To: <019001cbc985$08752780$195f7680$@augustcellars.com> Date: Fri, 11 Feb 2011 11:56:30 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: <3E220C18-2D7F-497E-839E-2CDFA75D4A95@padl.com> References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <019001cbc985$08752780$195f7680$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.1082) X-SMTP-Vilter-Version: 1.3.6 X-Spamd-Symbols: AWL,BAYES_00 X-SMTP-Vilter-Spam-Backend: spamd X-Spam-Threshold: 5.0 X-Spam-Probability: -0.5 Cc: 'Josh Howlett' , abfab@ietf.org Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 00:56:28 -0000 On 11/02/2011, at 11:45 AM, Jim Schaad wrote: > I apparently have a lack of understanding here. I had the assumption = that I > would be creating a single gss-api session to talk to the service = provider > and all conversations would be occurring in this single context. If = they > are different contexts then I think that architecture document needs = to make > this much clearer. GSS-API has no concept, correct me if I'm wrong, of a session. Instead = it has contexts, nothing is stopping you multiplexing multiple contexts = over a single underlying session (DCE does this). -- Luke= From lear@cisco.com Fri Feb 11 02:55:49 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 011853A68DB for ; Fri, 11 Feb 2011 02:55:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.449 X-Spam-Level: X-Spam-Status: No, score=-110.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvWNu-dm9Hhd for ; Fri, 11 Feb 2011 02:55:48 -0800 (PST) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id B9DBA3A6892 for ; Fri, 11 Feb 2011 02:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=2012; q=dns/txt; s=amsiport01001; t=1297421762; x=1298631362; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=WmRQr9dI+Zp16tiPmRBuBzOFv74zp9pOvByZ/KBO+X0=; b=BMZ8JDpRwlbuTFKQg+1d0auUp5Bwa7dJIHUlBjLwqTxD1vjd6tl4WAD6 FdDiNryM3nt0Ra3/FYJe81xAF0xVP1B9Li/NRIVOKZlOTLUgJoJme1xJ6 swR4mEpqSlCa1Eja/TFzAq9/uP+Cz6OhOjSgY92fqNbbDX7YgXF532oog 8=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgIEAFKkVE2Q/khMgWdsb2JhbACEHaFYFQEBFiIkoDmKb5BKgSeBV4FodgSLfIt3 X-IronPort-AV: E=Sophos;i="4.60,454,1291593600"; d="scan'208";a="76029619" Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 11 Feb 2011 10:56:01 +0000 Received: from dhcp-10-55-84-26.cisco.com (dhcp-10-55-84-26.cisco.com [10.55.84.26]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p1BAu15n024960; Fri, 11 Feb 2011 10:56:01 GMT Message-ID: <4D5515AD.6010102@cisco.com> Date: Fri, 11 Feb 2011 11:55:41 +0100 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Rhys Smith References: <4D10F279.3030601@cisco.com> <7C46E6CD-6B40-446C-8F70-8FB588D9CE7D@cardiff.ac.uk> In-Reply-To: <7C46E6CD-6B40-446C-8F70-8FB588D9CE7D@cardiff.ac.uk> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: abfab@ietf.org Subject: Re: [abfab] draft-lear-abfab-arch-01 posted X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 10:55:49 -0000 Dear Rhys, Well spotted. For the next round we hope to do a general terminology cleanup (much of that is already done). Thanks for your contribution, Eliot On 2/10/11 6:14 PM, Rhys Smith wrote: >> Hi everyone, >> >> We give to you the holiday present of reading ;-) The authors have updated The ABFAB Architecture Draft. It contains a number of changes since -00: >> • A high level step by step description of the process. >> • A "swimming lane" diagram visually demonstrating that process. >> • A discussion about channel binding and appropriate EAP methods. >> • A discussion about discovery. > Think it's looking pretty good in general, and agree with general comments made so far. > > One specific comment that I don't think anybody else has made yet - the document variously refers to: > * End Host > * Client App > * Application > * Subject > * Principal > * Entity > > - sometimes meaning the same thing, sometimes different things. > > Where the document is using the very specific meaning of one term (e.g. subject vs principal) that should probably be clarified somewhere (terminology section?) and where it isn't using the term with that specific meaning attached then the document should pick one and stick with it for consistency. > > Best Regards, > R. > -- > ---------------------------------------------------------------------- > Dr Rhys Smith e: smith@cardiff.ac.uk > Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C) > Information Services, > Cardiff University, t: +44 (0) 29 2087 0126 > 39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285 > CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821 > ---------------------------------------------------------------------- > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab > From hartmans@painless-security.com Fri Feb 11 03:04:34 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C20BE3A696B for ; Fri, 11 Feb 2011 03:04:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mCzMuGccMdT for ; Fri, 11 Feb 2011 03:04:34 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 18E1F3A6892 for ; Fri, 11 Feb 2011 03:04:33 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id E566D2011E; Fri, 11 Feb 2011 06:02:33 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 795F94307; Fri, 11 Feb 2011 06:04:36 -0500 (EST) From: Sam Hartman To: Luke Howard References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <019001cbc985$08752780$195f7680$@augustcellars.com> <3E220C18-2D7F-497E-839E-2CDFA75D4A95@padl.com> Date: Fri, 11 Feb 2011 06:04:36 -0500 In-Reply-To: <3E220C18-2D7F-497E-839E-2CDFA75D4A95@padl.com> (Luke Howard's message of "Fri, 11 Feb 2011 11:56:30 +1100") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: 'Josh Howlett' , Jim Schaad , abfab@ietf.org Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 11:04:34 -0000 I'd expect a GSS context to involve exactly one EAP conversation for the gss-eap mechanism. From lukeh@padl.com Fri Feb 11 04:16:51 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 807973A688C for ; Fri, 11 Feb 2011 04:16:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xlh4+ZRfn636 for ; Fri, 11 Feb 2011 04:16:50 -0800 (PST) Received: from us.padl.com (us.padl.com [216.154.215.154]) by core3.amsl.com (Postfix) with ESMTP id BFFD83A6823 for ; Fri, 11 Feb 2011 04:16:50 -0800 (PST) Received: by us.padl.com with ESMTP id p1BCGp40015506; Fri, 11 Feb 2011 07:16:54 -0500 Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Luke Howard In-Reply-To: Date: Fri, 11 Feb 2011 23:16:56 +1100 Content-Transfer-Encoding: 7bit Message-Id: References: <011d01cbc8b7$812cfa50$8386eef0$@augustcellars.com> <55DC663C2F4F9F439F23543E0078E8B30A8AEA@EXC001> <019001cbc985$08752780$195f7680$@augustcellars.com> <3E220C18-2D7F-497E-839E-2CDFA75D4A95@padl.com> To: Sam Hartman X-Mailer: Apple Mail (2.1082) X-SMTP-Vilter-Version: 1.3.6 X-Spamd-Symbols: BAYES_00 X-SMTP-Vilter-Spam-Backend: spamd X-Spam-Threshold: 5.0 X-Spam-Probability: -0.5 Cc: 'Josh Howlett' , Jim Schaad , abfab@ietf.org Subject: Re: [abfab] Session Naming on GSS-API X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 12:16:51 -0000 On 11/02/2011, at 10:04 PM, Sam Hartman wrote: > I'd expect a GSS context to involve exactly one EAP conversation for the > gss-eap mechanism. That is certainly what the Moonshot implementation does! -- Luke From klaas@wierenga.net Fri Feb 11 00:48:11 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0AA23A6A43 for ; Fri, 11 Feb 2011 00:48:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eilmRBHupG8O for ; Fri, 11 Feb 2011 00:48:10 -0800 (PST) Received: from out43-ams.mf.surf.net (out43-ams.mf.surf.net [145.0.1.43]) by core3.amsl.com (Postfix) with ESMTP id 6DF1F3A6921 for ; Fri, 11 Feb 2011 00:48:09 -0800 (PST) Received: from teletubbie.het.net.je (teletubbie.het.net.je [192.87.110.29]) by outgoing2-ams.mf.surf.net (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p1B8mLaP022025; Fri, 11 Feb 2011 09:48:22 +0100 Received: from 128-107-239-233.cisco.com ([128.107.239.233] helo=macmini.wierenga.net) by teletubbie.het.net.je with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.73 (FreeBSD)) (envelope-from ) id 1Pnofr-000DRk-G1; Fri, 11 Feb 2011 09:48:19 +0100 Message-ID: <4D54F7D2.4030806@wierenga.net> Date: Fri, 11 Feb 2011 09:48:18 +0100 From: Klaas Wierenga User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: "abfab@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus: no malware found X-Bayes-Prob: 0.0001 (Score 0, tokens from: @@RPTN) X-CanIt-Geo: ip=192.87.110.29; country=NL; latitude=52.5000; longitude=5.7500; http://maps.google.com/maps?q=52.5000,5.7500&z=6 X-CanItPRO-Stream: p-out:default (inherits from p:default,base:default) X-Canit-Stats-ID: 0vE6wMmgJ - 155395551b81 - 20110211 (trained as not-spam) X-Scanned-By: CanIt (www . roaringpenguin . com) on 145.0.1.43 X-Mailman-Approved-At: Fri, 11 Feb 2011 04:42:15 -0800 Cc: abfab-chairs@tools.ietf.org Subject: [abfab] Call for Agenda Items for IETF80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 08:48:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, We would like to sollicit agenda items for IETF80. At this point it is still unclear whether we will have 1 or 2 sessions but we would like to start building an agenda nevertheless (knowing that we'll have to adjust should we have only 1 session). If you have an agenda item, please send it to me and/or Leif. Klaas -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1U99IACgkQH2Wy/p4XeFJClACgu5FFDZLo+Z4+h348cnUMy5HI UZEAoMer7gf9+PqDkXNFSMpMweE0fOeU =WCIK -----END PGP SIGNATURE----- From smith@Cardiff.ac.uk Fri Feb 11 09:01:35 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F58D3A69D2 for ; Fri, 11 Feb 2011 09:01:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQHtZpyEYYj7 for ; Fri, 11 Feb 2011 09:01:34 -0800 (PST) Received: from smtpout1.cf.ac.uk (smtpout1.cf.ac.uk [131.251.137.125]) by core3.amsl.com (Postfix) with ESMTP id 15E733A6784 for ; Fri, 11 Feb 2011 09:01:32 -0800 (PST) Received: from smtpauth.cf.ac.uk ([131.251.248.19]) by smtpout1.cf.ac.uk with esmtp (Exim 4.72) (envelope-from ) id 1PnwNO-0002qS-Sj for abfab@ietf.org; Fri, 11 Feb 2011 17:01:46 +0000 Received: from [10.224.0.45] (helo=dangermouse.insrv.cf.ac.uk) by smtpauth.cf.ac.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1PnwNO-0007KC-S0 for abfab@ietf.org; Fri, 11 Feb 2011 17:01:46 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1082) From: Rhys Smith In-Reply-To: <4D540C79.3030307@sunet.se> Date: Fri, 11 Feb 2011 17:01:46 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <5DA7DE69-BCE3-400C-A25A-B17109D74095@cardiff.ac.uk> References: <4D4D67D3.8090101@mnt.se> <4D540B1F.4050200@ieca.com> <4D540C79.3030307@sunet.se> To: abfab@ietf.org X-Mailer: Apple Mail (2.1082) Sender: smith@Cardiff.ac.uk X-Virus-Scanned: Cardiff University Virus Scanner X-Virus-Scanned: Cardiff University Virus Scanner Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 17:01:35 -0000 On 10 Feb 2011, at 16:04, Leif Johansson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Thank you Sean! Ideally I'd like a volunteer for maintaining the > registration I-D by Prague. Leif, I can do this.=20 Will have a chat to you and/or Klaas next week at the TF-EMC2 meetings = if we get a chance. Regards, R. -- ---------------------------------------------------------------------- Dr Rhys Smith e: smith@cardiff.ac.uk Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C) Information Services, Cardiff University, t: +44 (0) 29 2087 0126 39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285 CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821 ---------------------------------------------------------------------- From leifj@sunet.se Fri Feb 11 13:22:54 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12E913A69CA for ; Fri, 11 Feb 2011 13:22:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yI1sLVCtRgBY for ; Fri, 11 Feb 2011 13:22:53 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id B55773A699F for ; Fri, 11 Feb 2011 13:22:52 -0800 (PST) Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1BLN4en003153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 11 Feb 2011 22:23:07 +0100 (CET) Message-ID: <4D55A8B7.4050501@sunet.se> Date: Fri, 11 Feb 2011 22:23:03 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D4D67D3.8090101@mnt.se> <4D540B1F.4050200@ieca.com> <4D540C79.3030307@sunet.se> <5DA7DE69-BCE3-400C-A25A-B17109D74095@cardiff.ac.uk> In-Reply-To: <5DA7DE69-BCE3-400C-A25A-B17109D74095@cardiff.ac.uk> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] OID plan X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 21:22:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/11/2011 06:01 PM, Rhys Smith wrote: > On 10 Feb 2011, at 16:04, Leif Johansson wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Thank you Sean! Ideally I'd like a volunteer for maintaining the >> registration I-D by Prague. > > Leif, > > I can do this. > > Will have a chat to you and/or Klaas next week at the TF-EMC2 meetings if we get a chance. Thank you very much for volunteering Rhys! Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1VqLcACgkQ8Jx8FtbMZncLjACfW6LOAlgjTemp7O3TVESYC2zK jRQAoJZtF2XKuBW2J5vSc1HQ6cslCzcQ =LNNd -----END PGP SIGNATURE----- From hartmans@painless-security.com Tue Feb 15 12:02:58 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D89073A6D92 for ; Tue, 15 Feb 2011 12:02:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytYLIN1mK7Xg for ; Tue, 15 Feb 2011 12:02:58 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 649F23A6D10 for ; Tue, 15 Feb 2011 12:02:55 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A6FD32011F for ; Tue, 15 Feb 2011 15:01:01 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id CA43D4307; Tue, 15 Feb 2011 15:02:58 -0500 (EST) From: Sam Hartman To: abfab@ietf.org Date: Tue, 15 Feb 2011 15:02:58 -0500 Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [abfab] GSS: what gets indicated in channel binding response X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 20:02:59 -0000 You probably haven't read section 5.3 of draft-ietf-emu-chbind-07. Please do before reading this message. The initiator will send EAP channel binding data to the EAP server including what it knows of the acceptor name. Typically this will be the service and hostname. Often the initiator will not know the realm name. The EAP server needs to indicate back to the acceptor what attributes were used in channel binding with a successful response. Typically the EAP server won't be able to verify the hostname. Instead, a proxy near the acceptor will verify the host name and assert a realm and the EAP server will verify the realm. So, what should the EAP server return? It seems fairly obvious that it should include the service name if that was verified. One argument is that it should include the host name even though it is not directly verified. The rationale here is that the system as a whole has verified the host name. The server could include the realm. The rationale is that is what is actually verified. The server could include both. I think my preference is that the server include the host name and not the realm. Including the realm seems a bit problematic because we may have some different structure in the future and the host name verification may not mirror the realm. So, codifying in our spec that sometimes clients learn that a hostname is verified via the realm seems problematic. I don't like the option of including both the hostname and the realm. It seems non-ideal to include attributes in the response that the client did not include both for bandwidth and complexity reasons. What do others think? From hartmans@painless-security.com Tue Feb 15 12:18:42 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68CDD3A6D72 for ; Tue, 15 Feb 2011 12:18:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sy1sZDm5zwBk for ; Tue, 15 Feb 2011 12:18:41 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id AAB683A6AB1 for ; Tue, 15 Feb 2011 12:18:41 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 548722021E for ; Tue, 15 Feb 2011 15:16:52 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 964CE4307; Tue, 15 Feb 2011 15:18:50 -0500 (EST) From: Sam Hartman To: abfab@ietf.org References: Date: Tue, 15 Feb 2011 15:18:50 -0500 In-Reply-To: (Sam Hartman's message of "Tue, 15 Feb 2011 15:02:58 -0500") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [abfab] GSS: what gets indicated in channel binding response X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 20:18:42 -0000 >>>>> "Sam" == Sam Hartman writes: Sam> You probably haven't read section 5.3 of Sam> draft-ietf-emu-chbind-07. Please do before reading this Sam> message. Sam> The initiator will send EAP channel binding data to the EAP Sam> server including what it knows of the acceptor name. Typically Sam> this will be the service and hostname. Often the initiator Sam> will not know the realm name. Sam> The EAP server needs to indicate back to the acceptor what Sam> attributes were used in channel binding with a successful Sam> response. Sorry, back to the initiator. Sam> Typically the EAP server won't be able to verify the Sam> hostname. Instead, a proxy near the acceptor will verify the Sam> host name and assert a realm and the EAP server will verify the Sam> realm. From hartmans@painless-security.com Tue Feb 15 12:40:55 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F236F3A6DB2 for ; Tue, 15 Feb 2011 12:40:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.965 X-Spam-Level: X-Spam-Status: No, score=-1.965 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_66=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeJyTD5vFuJJ for ; Tue, 15 Feb 2011 12:40:54 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 34B0E3A6D9F for ; Tue, 15 Feb 2011 12:40:54 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A04E42021E for ; Tue, 15 Feb 2011 15:39:04 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DCD234307; Tue, 15 Feb 2011 15:41:02 -0500 (EST) From: Sam Hartman To: abfab@ietf.org Date: Tue, 15 Feb 2011 15:41:02 -0500 Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [abfab] How does the EAP server know proxies did their thing? X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 20:40:55 -0000 ABFAB depends on proxies doing certain things. For example we depend on a proxy near the acceptor verifying the hostname of the acceptor. how does the EAP server know whether that has happened? This message is not about malicious actors:safety pup says don't stick malicious parties in your trust path. We'll be discussing trust a lot in the architecture document and in some presentations we hope to give in Prague. However even when you discard malice, there are a lot of ways things can go wrong. A proxy might not be upgraded to support ABFAB-specific processing. Configuration might be set incorrectly. A proxy might not have some data source it needs. I think it would be desirable to have some way to do this. I'm sort of imagining an attribute that the proxy includes indicating it has performed some check and the policy applied to perform that check. I'm not entirely sure what level of granularity is required. I'm wondering if there are participants who would be interested in working through details of this? --Sam From leifj@sunet.se Tue Feb 15 14:07:03 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34B453A6AB9 for ; Tue, 15 Feb 2011 14:07:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkdizQ++U2km for ; Tue, 15 Feb 2011 14:07:02 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 96E973A6DA9 for ; Tue, 15 Feb 2011 14:07:01 -0800 (PST) Received: from [10.216.8.27] (93-158-28-201.subs.ibrowse.com [93.158.28.201]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1FM7MjN010699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 15 Feb 2011 23:07:26 +0100 (CET) Message-ID: <4D5AF91A.5050608@sunet.se> Date: Tue, 15 Feb 2011 23:07:22 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] How does the EAP server know proxies did their thing? X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 22:07:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not speaking as a chair... > I'm sort of imagining an attribute that the proxy includes indicating it > has performed some check and the policy applied to perform that check. > I'm not entirely sure what level of granularity is required. > I'm wondering if there are participants who would be interested in > working through details of this? I'm thinking about the channel-binding-cookie we built into my old negotiate-ng draft to say that an http proxy knew about the CB token. Perhaps a similar model might work... At least your description of the problem sounds similar to the problems we were trying to solve back then. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1a+RoACgkQ8Jx8FtbMZnelAwCfWvNvb36kuxbYOzTaOpgOsnNc 700AniO54+h2EX7hyVJMUXBDMuIC3nTh =eLKR -----END PGP SIGNATURE----- From hartmans@painless-security.com Tue Feb 15 15:47:18 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6120E3A6C37 for ; Tue, 15 Feb 2011 15:47:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.228 X-Spam-Level: X-Spam-Status: No, score=-2.228 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmBpxWQ1xdCV for ; Tue, 15 Feb 2011 15:47:17 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 216903A6C13 for ; Tue, 15 Feb 2011 15:47:16 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id BB75520167; Tue, 15 Feb 2011 18:45:23 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 331D64307; Tue, 15 Feb 2011 18:47:21 -0500 (EST) From: Sam Hartman To: Leif Johansson References: <4D5AF91A.5050608@sunet.se> Date: Tue, 15 Feb 2011 18:47:21 -0500 In-Reply-To: <4D5AF91A.5050608@sunet.se> (Leif Johansson's message of "Tue, 15 Feb 2011 23:07:22 +0100") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: abfab@ietf.org Subject: Re: [abfab] How does the EAP server know proxies did their thing? X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 23:47:18 -0000 >>>>> "Leif" == Leif Johansson writes: Leif> Not speaking as a chair... >> I'm sort of imagining an attribute that the proxy includes >> indicating it has performed some check and the policy applied to >> perform that check. I'm not entirely sure what level of >> granularity is required. I'm wondering if there are participants >> who would be interested in working through details of this? Leif> I'm thinking about the channel-binding-cookie we built into my Leif> old negotiate-ng draft to say that an http proxy knew about Leif> the CB token. Perhaps a similar model might work... At least Leif> your description of the problem sounds similar to the problems Leif> we were trying to solve back then. I think so. There's not actually any need to do anything cryptographic. But yes, a cookie jar of proxy processing steps is what we're looking > for here I think. From hartmans@painless-security.com Wed Feb 16 07:51:17 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D31B83A6DDA for ; Wed, 16 Feb 2011 07:51:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.232 X-Spam-Level: X-Spam-Status: No, score=-2.232 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AdQJrNzTfGkP for ; Wed, 16 Feb 2011 07:51:16 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 9833B3A6CC7 for ; Wed, 16 Feb 2011 07:51:16 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 0FA18202FB for ; Wed, 16 Feb 2011 10:49:28 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id CFB734307; Wed, 16 Feb 2011 10:51:24 -0500 (EST) From: Sam Hartman To: abfab@ietf.org Date: Wed, 16 Feb 2011 10:51:24 -0500 Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [abfab] AAA trust establishment X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 15:51:18 -0000 I've been thinking about the mail I sent yesterday as well as some discussions within the architecture team. I've also been thinking about Josh's proposed requirement that we specify enough detail about technical trust establishment to get better interoperability than SAML. We've been talking about the importance of proxy behavior throughout the process. Some of that will be local. For example how a proxy near the RP knows that a particular machine is allowed to claim a hostname is a local matter. However, there are significant elements that have real protocol impacts if we're going to have interoperability. first, all of this proxy behavior is inherently optional: today's proxies don't do it. So, as I discussed yesterday we need mechanisms for knowing what proxies have done and what they have not done. Second, when things are decomposed like the host check living in an organization and the realm check living closer to an IDP, then we need to explain how those checks fit together to meet our security guarantees. Also, it is quite obvious that intermediates have important roles to play. The value that federations bring to the ecosystem is managing and negotiatingpolicies and agreements. Some of that feeds into protocol requirements for exchanging what policies are in play, and for allowing the federation to filter (or provide filters) on the behavior of actors. Also, as Josh and I hope to explain in Prague, we believe that a new technical trust mechanism is required for some common ABFAB deployments. All this together suggests to me that we have a lot to think about in terms of the AAA fabric that makes these federations possible. There's a lot of discussion starting to filter into the architecture document. However, I'm now convinced that it goes beyond that. Protocol elements are required. I'm not ready with specific proposals at the moment. What I do think is important is creating some high-bandwidth discussions of the issue to get more than just Josh and I into the right mental space. This is a heads up that I'd like to have these sorts of discussions and a call for interest. --Sam From Josh.Howlett@ja.net Wed Feb 16 08:20:31 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0B813A6D0D for ; Wed, 16 Feb 2011 08:20:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id up9XHlSpJasn for ; Wed, 16 Feb 2011 08:20:26 -0800 (PST) Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by core3.amsl.com (Postfix) with ESMTP id B7AB33A6AB2 for ; Wed, 16 Feb 2011 08:20:26 -0800 (PST) Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 76C271A9AFB1_D5BF965B; Wed, 16 Feb 2011 16:20:53 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 6B1021A9AFAA_D5BF965F; Wed, 16 Feb 2011 16:20:53 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0218.012; Wed, 16 Feb 2011 16:21:15 +0000 From: Josh Howlett To: Sam Hartman , "abfab@ietf.org" Thread-Topic: [abfab] AAA trust establishment Thread-Index: AQHLzfGDPwMMn+pPhECObgi/Jd/YnJQESBkg Date: Wed, 16 Feb 2011 16:21:14 +0000 Message-ID: <55DC663C2F4F9F439F23543E0078E8B30B14A4@EXC001> References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Josh Howlett Subject: Re: [abfab] AAA trust establishment X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 16:20:31 -0000 > I've been thinking about the mail I sent yesterday as well as some > discussions within the architecture team. I've also been thinking about > Josh's proposed requirement that we specify enough detail about > technical trust establishment to get better interoperability than SAML. (Better interoperability than in the early days of SAML, at least. There ha= s been substantial progress in standardising technical trust establishment = more recently, i.e. the Metadata Interoperability Profile.) The proposition that fell out from the architecture document discussions wa= s that specifying protocol interactions is a necessary but insufficient con= dition for ABFAB to be generally useful. For large-scale deployment, we nee= d plug-and-play interoperability at the level of trust establishment. Sam h= as suggested that we need a document to capture the use of AAA trust establ= ishment mechanisms within ABFAB, and I agree. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From Internet-Drafts@ietf.org Thu Feb 17 11:45:04 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6597F3A6D3D; Thu, 17 Feb 2011 11:45:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.516 X-Spam-Level: X-Spam-Status: No, score=-102.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pb2+bYkCOEl5; Thu, 17 Feb 2011 11:45:02 -0800 (PST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B15033A6D26; Thu, 17 Feb 2011 11:45:01 -0800 (PST) MIME-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.12 Message-ID: <20110217194501.21268.85329.idtracker@localhost> Date: Thu, 17 Feb 2011 11:45:01 -0800 Cc: abfab@ietf.org Subject: [abfab] I-D Action:draft-ietf-abfab-gss-eap-01.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 19:45:04 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Application Bridging for Federated Access Beyond web Working Group of the IETF. Title : A GSS-API Mechanism for the Extensible Authentication Protocol Author(s) : S. Hartman, J. Howlett Filename : draft-ietf-abfab-gss-eap-01.txt Pages : 22 Date : 2011-02-17 This document defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (GSS-API) when using the EAP mechanism. Through the GS2 family of mechanisms, these protocols also define how Simple Authentication and Security Layer (SASL, RFC 4422) applications use the Extensible Authentication Protocol. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-abfab-gss-eap-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-abfab-gss-eap-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2011-02-17114011.I-D@ietf.org> --NextPart-- From hartmans@painless-security.com Thu Feb 17 12:23:38 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B44E3A6D66 for ; Thu, 17 Feb 2011 12:23:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.235 X-Spam-Level: X-Spam-Status: No, score=-2.235 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKYlMaIiUF6Z for ; Thu, 17 Feb 2011 12:23:37 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 38D3C3A6ABD for ; Thu, 17 Feb 2011 12:23:37 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 8504D20271 for ; Thu, 17 Feb 2011 15:21:48 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 24DEE4307; Thu, 17 Feb 2011 15:23:44 -0500 (EST) From: Sam Hartman To: abfab@ietf.org References: <20110217194501.21268.85329.idtracker@localhost> Date: Thu, 17 Feb 2011 15:23:44 -0500 In-Reply-To: <20110217194501.21268.85329.idtracker@localhost> (Internet-Drafts@ietf.org's message of "Thu, 17 Feb 2011 11:45:01 -0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [abfab] I-D Action:draft-ietf-abfab-gss-eap-01.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 20:23:38 -0000 This version includes significantly more description of the naming text. I believe that description is consistent with our discussions at IETF 79. This version also includes significantly more discussion of mutual authentication and channel binding behavior. I did not fold in changes to context tokens based on what Luke actually implemented. List discussions around server name indication and null target names suggest we'll be changing that again shortly. Also, I'd like to check a couple of details once I get access to the implementation. This does not include the OIDs as I expect them to change when we change how we handle context tokens. Comments welcome. --Sam From aland@deployingradius.com Fri Feb 18 00:30:03 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A62D73A6D46 for ; Fri, 18 Feb 2011 00:30:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEuiS+9tViMN for ; Fri, 18 Feb 2011 00:30:02 -0800 (PST) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id D32863A6A86 for ; Fri, 18 Feb 2011 00:30:01 -0800 (PST) Message-ID: <4D5E2E28.7010406@deployingradius.com> Date: Fri, 18 Feb 2011 09:30:32 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: Sam Hartman References: In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: abfab@ietf.org Subject: Re: [abfab] How does the EAP server know proxies did their thing? X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2011 08:30:04 -0000 Sam Hartman wrote: > ABFAB depends on proxies doing certain things. For example we depend on > a proxy near the acceptor > verifying the hostname of the acceptor. > > how does the EAP server know whether that has happened? It doesn't. > I'm sort of imagining an attribute that the proxy includes indicating it > has performed some check and the policy applied to perform that check. > I'm not entirely sure what level of granularity is required. > I'm wondering if there are participants who would be interested in > working through details of this? I think it would be useful. Sharing information is a good idea. For simplicity, it would probably be best if there was no negotiation. i.e. the proxy just says "I did this". Any negotiation about which checks need to be done is probably an issue for contracts, lawyers, etc. Alan DeKok. From leifj@sunet.se Thu Feb 24 23:59:22 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE97B3A681D for ; Thu, 24 Feb 2011 23:59:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+ypOjGE4cuJ for ; Thu, 24 Feb 2011 23:59:21 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 4CE963A6828 for ; Thu, 24 Feb 2011 23:59:20 -0800 (PST) Received: from [192.36.125.230] (dhcp.pilsnet.sunet.se [192.36.125.230]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1P804Jd000637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 25 Feb 2011 09:00:07 +0100 (CET) Message-ID: <4D676184.10405@sunet.se> Date: Fri, 25 Feb 2011 09:00:04 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: "abfab@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [abfab] only one abfab session X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 07:59:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately it looks like our request for a second abfab session wasn't honored. Klaas and me have been prepping an agenda based on two sessions so we'll have to trim down a bit... stay tuned! Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1nYX4ACgkQ8Jx8FtbMZnd3PwCeJKFx5ijEntCkIw685NaTzoR/ t3YAn2JLu7wKYDE/CgjHywXS2UFv5sc/ =Tywn -----END PGP SIGNATURE----- From klaas@cisco.com Fri Feb 25 00:44:50 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 379663A693B for ; Fri, 25 Feb 2011 00:44:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SITd54LMPm+B for ; Fri, 25 Feb 2011 00:44:49 -0800 (PST) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 531D13A692F for ; Fri, 25 Feb 2011 00:44:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=klaas@cisco.com; l=635; q=dns/txt; s=iport; t=1298623541; x=1299833141; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=xH08oJCdbYrNn09LLZHIB+eE1XcHZxECzGwFFwcZhTQ=; b=lEpI/U1YdKGG15ibSafPmvSphf+M37DIFNN68elnEUVTZLrJvFCYTzaJ dqCR5W+sZ+5JSRQL5wwQ0duC4tF7oms5ocNrKTm2Is0HTGlau9l01Dmln H6CjFYe6a1hO4U0IyA7a4ivxrg1QmJYkBdptojRCRYk/tlpX90UkfyDR1 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsFAGP6Zk2rR7H+/2dsb2JhbACYKI4TdKE+m2mFYASMHQ X-IronPort-AV: E=Sophos;i="4.62,224,1297036800"; d="scan'208";a="315068387" Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-2.cisco.com with ESMTP; 25 Feb 2011 08:45:41 +0000 Received: from macmini.wierenga.net (sjc-vpnasa-327.cisco.com [10.21.105.73]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id p1P8jdTe021899 for ; Fri, 25 Feb 2011 08:45:40 GMT Message-ID: <4D676C32.9040203@cisco.com> Date: Fri, 25 Feb 2011 09:45:38 +0100 From: Klaas Wierenga User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D676184.10405@sunet.se> In-Reply-To: <4D676184.10405@sunet.se> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] only one abfab session X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 08:44:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/25/11 9:00 AM, Leif Johansson wrote: > > Unfortunately it looks like our request for a second abfab session > wasn't honored. Klaas and me have been prepping an agenda based on > two sessions so we'll have to trim down a bit... stay tuned! I guess we'll have to plan for an interim.... Klaas -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1nbDIACgkQH2Wy/p4XeFJOjwCgkuJVokmIkymT9+i7KDAqFj5f anwAn0A+1Drj+kcXZDGbJS8Npctoz03+ =FjPE -----END PGP SIGNATURE----- From leifj@sunet.se Fri Feb 25 01:03:06 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27B003A681C for ; Fri, 25 Feb 2011 01:03:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfNzFztddrE9 for ; Fri, 25 Feb 2011 01:03:05 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 0923B3A692E for ; Fri, 25 Feb 2011 01:03:04 -0800 (PST) Received: from [192.36.125.230] (dhcp.pilsnet.sunet.se [192.36.125.230]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1P93qdR022386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 25 Feb 2011 10:03:55 +0100 (CET) Message-ID: <4D677078.3060801@sunet.se> Date: Fri, 25 Feb 2011 10:03:52 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D676184.10405@sunet.se> <4D676C32.9040203@cisco.com> In-Reply-To: <4D676C32.9040203@cisco.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] only one abfab session X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 09:03:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/25/2011 09:45 AM, Klaas Wierenga wrote: > On 2/25/11 9:00 AM, Leif Johansson wrote: > >> Unfortunately it looks like our request for a second abfab session >> wasn't honored. Klaas and me have been prepping an agenda based on >> two sessions so we'll have to trim down a bit... stay tuned! > > I guess we'll have to plan for an interim.... They seem to have lost my updated schedule request. I'm trying to get scheduling to investigate. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ncHgACgkQ8Jx8FtbMZneZxwCgrPf3TmvyuP9lQcVh0GOPTNxz Er4AoJQ162/REDWL5zL17GFdLoB7nQMy =WDkh -----END PGP SIGNATURE----- From Josh.Howlett@ja.net Fri Feb 25 02:37:27 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADE303A685B; Fri, 25 Feb 2011 02:37:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.855 X-Spam-Level: X-Spam-Status: No, score=-101.855 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRuTjQr-0XvK; Fri, 25 Feb 2011 02:37:26 -0800 (PST) Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by core3.amsl.com (Postfix) with ESMTP id CF2863A67D4; Fri, 25 Feb 2011 02:37:25 -0800 (PST) Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 99F1E4A6B63_D678698B; Fri, 25 Feb 2011 10:38:16 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 816524A6B5A_D678698F; Fri, 25 Feb 2011 10:38:16 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0218.012; Fri, 25 Feb 2011 10:38:35 +0000 From: Josh Howlett To: "moonshot-community@jiscmail.ac.uk" Thread-Topic: Moonshot GSS EAP mechanism released and Cyrus GS2 mechanism relicensed Thread-Index: AcvU2BCufwOoXtwUTM2cQcOVzwk4mA== Date: Fri, 25 Feb 2011 10:38:34 +0000 Message-ID: <55DC663C2F4F9F439F23543E0078E8B30BAC0A@EXC001> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-puzzleid: {37B736D1-4D0F-4F2D-8BEB-A281203F2665} x-cr-hashedpuzzle: v4w= A7nf B4Ir CGKG DZt3 FHWA IraP NGUL OEMW PqP/ SGxo Wjvp ujkl 1PEr 5vEM /DIF; 6; YQBiAGYAYQBiAEAAaQBlAHQAZgAuAG8AcgBnADsAZQBtAHUAQABpAGUAdABmAC4AbwByAGcAOwBrAGkAdAB0AGUAbgBAAGkAZQB0AGYALgBvAHIAZwA7AG0AbwBiAGkAbABpAHQAeQBAAHQAZQByAGUAbgBhAC4AbwByAGcAOwBtAG8AbwBuAHMAaABvAHQALQBjAG8AbQBtAHUAbgBpAHQAeQBAAGoAaQBzAGMAbQBhAGkAbAAuAGEAYwAuAHUAawA7AHQAZgAtAGUAbQBjADIAQAB0AGUAcgBlAG4AYQAuAG8AcgBnAA==; Sosha1_v1; 7; {37B736D1-4D0F-4F2D-8BEB-A281203F2665}; agBvAHMAaAAuAGgAbwB3AGwAZQB0AHQAQABqAGEALgBuAGUAdAA=; Fri, 25 Feb 2011 10:37:56 GMT; TQBvAG8AbgBzAGgAbwB0ACAARwBTAFMAIABFAEEAUAAgAG0AZQBjAGgAYQBuAGkAcwBtACAAcgBlAGwAZQBhAHMAZQBkACAAYQBuAGQAIABDAHkAcgB1AHMAIABHAFMAMgAgAG0AZQBjAGgAYQBuAGkAcwBtACAAcgBlAGwAaQBjAGUAbgBzAGUAZAA= x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Josh Howlett , TF-EMC2 , "abfab@ietf.org" , TF-Mobility + Network Middleware , "emu@ietf.org" , "kitten@ietf.org" Subject: [abfab] Moonshot GSS EAP mechanism released and Cyrus GS2 mechanism relicensed X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 10:37:27 -0000 (Apologies for cross-posting) I am pleased to announce the release of the Moonshot GSS EAP mechanism impl= ementation under the BSD licence, and the relicensing of PADL Software's Cy= rus SASL GS2 implementation to the BSD licence. These implement draft-ietf-= abfab-gss-eap-00 and RFC5801 respectively. These mechanisms enable the use of EAP authentication methods for applicati= ons. SAML and RADIUS attributes may be exposed to applications for authoris= ation purposes through GSS-API Naming Extensions. The mechanism is also abl= e to use EAP keying material exported by the EAP method for message integri= ty and confidentiality between client and server. The source-code can be obtained from the Project Moonshot repository: http://www.project-moonshot.org/gitweb Many thanks to Luke Howard of PADL Software Pty for this excellent work. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From Josh.Howlett@ja.net Fri Feb 25 06:27:31 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 275423A69CF for ; Fri, 25 Feb 2011 06:27:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.413 X-Spam-Level: X-Spam-Status: No, score=-102.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwnboFRyW+hT for ; Fri, 25 Feb 2011 06:27:29 -0800 (PST) Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by core3.amsl.com (Postfix) with ESMTP id C69C13A67EC for ; Fri, 25 Feb 2011 06:27:29 -0800 (PST) Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 2EDE54A6B4A_D67BC85B for ; Fri, 25 Feb 2011 14:28:21 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 1C97B4A6B47_D67BC85F for ; Fri, 25 Feb 2011 14:28:21 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0218.012; Fri, 25 Feb 2011 14:28:43 +0000 From: Josh Howlett To: "abfab@ietf.org" Thread-Topic: Registration open - second Moonshot meeting Thread-Index: AcvU9yNm8tdVr/XqSUyl++a3VTbfPwAAFC+g Date: Fri, 25 Feb 2011 14:28:42 +0000 Message-ID: <55DC663C2F4F9F439F23543E0078E8B30BC25A@EXC001> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Josh Howlett Subject: [abfab] FW: Registration open - second Moonshot meeting X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 14:27:31 -0000 FYI - we'll be discussing our ABFAB implementation in Prague on the Thursda= y and Friday (24-25 March) immediately preceding IETF80. This is an open me= eting on both days. Josh. > -----Original Message----- > From: Josh Howlett > Sent: Friday, February 25, 2011 2:20 PM > To: 'moonshot-community@jiscmail.ac.uk' > Cc: 'mobility@terena.org'; 'emc2@terena.org'; Josh Howlett > Subject: Registration open - second Moonshot meeting >=20 > I would be grateful if anyone planning to attend the second Moonshot > meeting (24-25 March) could register here: >=20 > This is an open meeting. >=20 > http://www.terena.org/events/details.php?event_id=3D1995 >=20 > Many thanks, Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From leifj@sunet.se Mon Feb 28 11:39:28 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EB343A6A14 for ; Mon, 28 Feb 2011 11:39:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7KT6+CqSxHp for ; Mon, 28 Feb 2011 11:39:27 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 008B43A6A0F for ; Mon, 28 Feb 2011 11:39:26 -0800 (PST) Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1SJeOZ2006386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Feb 2011 20:40:27 +0100 (CET) Message-ID: <4D6BFA27.2060400@sunet.se> Date: Mon, 28 Feb 2011 20:40:23 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: "abfab@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [abfab] Fwd: ABFAB - Requested sessions have been scheduled for IETF 80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 19:39:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK so we got the scheduling kerfuffle sorted now. Klaas and me will be back with a draft agenda shortly. cheers Leif - -------- Original Message -------- Subject: ABFAB - Requested sessions have been scheduled for IETF 80 Date: Mon, 28 Feb 2011 11:19:47 -0800 (PST) From: IETF Secretariat To: leifj@sunet.se CC: kwiereng@cisco.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, tim.polk@nist.gov, session-request@ietf.org Dear Leif Johansson, The sessions that you have requested have been scheduled. Below is the scheduled session information followed by the information of sessions that you have requested. ABFAB Session 1 (2.5 hours) Thursday, Morning Session I 0900-1130 Room Name: Karlin I - ---------------------------------------------- ABFAB Session 2 (1 hour) Friday, Afternoon Session I 1300-1400 Room Name: Roma - ---------------------------------------------- Requested Information: - --------------------------------------------------------- Working Group Name: abfab Area Name: Security Area Session Requester: Leif Johansson Number of Sessions: 2 Length of Session(s): 2.5 hours 1 hour Number of Attendees: 60 Conflicts to Avoid: First Priority: xmpp, radext, karp, sidr, oauth, dnsext, lisp, 6lowpan, httpbis, websec, dane, kitten, krb-wg Special Requests: Security Area WGs - --------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1r+icACgkQ8Jx8FtbMZnfMMwCfU/Pyw51jcfxFG1kv8tzy+hTJ 2j4AnjGnk7mZHFEYCwiR1R4iKEAku5q9 =UrN0 -----END PGP SIGNATURE----- From hartmans@painless-security.com Mon Feb 28 12:19:25 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14E153A6C71 for ; Mon, 28 Feb 2011 12:19:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.238 X-Spam-Level: X-Spam-Status: No, score=-2.238 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kt45WbvrcVV0 for ; Mon, 28 Feb 2011 12:19:24 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 61E4C3A6C6C for ; Mon, 28 Feb 2011 12:19:23 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A30A120239; Mon, 28 Feb 2011 15:17:52 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 350AC4307; Mon, 28 Feb 2011 15:20:18 -0500 (EST) From: Sam Hartman To: Leif Johansson References: <4D6BFA27.2060400@sunet.se> Date: Mon, 28 Feb 2011 15:20:18 -0500 In-Reply-To: <4D6BFA27.2060400@sunet.se> (Leif Johansson's message of "Mon, 28 Feb 2011 20:40:23 +0100") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "abfab@ietf.org" Subject: Re: [abfab] Fwd: ABFAB - Requested sessions have been scheduled for IETF 80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 20:19:25 -0000 Is kitten still in Friday 1300-1400? If so, I think the abfab-kitten conflict is going to be fairly painful. From leifj@mnt.se Mon Feb 28 13:49:03 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D6333A68B1 for ; Mon, 28 Feb 2011 13:49:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhc3biOBUuv0 for ; Mon, 28 Feb 2011 13:49:02 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id BDA7D3A6CB0 for ; Mon, 28 Feb 2011 13:49:01 -0800 (PST) Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1SLnwiG027741 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Feb 2011 22:50:01 +0100 (CET) Message-ID: <4D6C1886.6060103@mnt.se> Date: Mon, 28 Feb 2011 22:49:58 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D6BFA27.2060400@sunet.se> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] Fwd: ABFAB - Requested sessions have been scheduled for IETF 80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 21:49:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/28/2011 09:20 PM, Sam Hartman wrote: > Is kitten still in Friday 1300-1400? If so, I think the abfab-kitten > conflict is going to be fairly painful. Crap. You're right. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1sGIAACgkQ8Jx8FtbMZndaXACgkopyo7+tVAYD+7yR49iMgfL1 E6MAnAkIh/gRCKDeCwCOV/XY28SnDwd9 =/0Rf -----END PGP SIGNATURE----- From leifj@sunet.se Mon Feb 28 13:57:08 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51C4D3A6A21 for ; Mon, 28 Feb 2011 13:57:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.524 X-Spam-Level: X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7Q+qVCIHlGf for ; Mon, 28 Feb 2011 13:57:07 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 2A9B33A6A1E for ; Mon, 28 Feb 2011 13:57:06 -0800 (PST) Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p1SLw4IK022808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Feb 2011 22:58:07 +0100 (CET) Message-ID: <4D6C1A6B.9080706@sunet.se> Date: Mon, 28 Feb 2011 22:58:03 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Sam Hartman References: <4D6BFA27.2060400@sunet.se> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "abfab@ietf.org" Subject: Re: [abfab] Fwd: ABFAB - Requested sessions have been scheduled for IETF 80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 21:57:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/28/2011 09:20 PM, Sam Hartman wrote: > Is kitten still in Friday 1300-1400? If so, I think the abfab-kitten > conflict is going to be fairly painful. I've sent message to the secretariat about the conflict. Lets see what they come up with. For the record we did ask for two sessions but there seems to be some problem with the scheduling tool that resulted in this confusion. Clearly we're not done yet :-( -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1sGmsACgkQ8Jx8FtbMZnfLfgCeKIdQizScJD/oQI7cY29QAN+Q NC4AniRvqyB14rWX4Bwu8yUoHq/Q4/XL =5L5x -----END PGP SIGNATURE----- From leifj@sunet.se Mon Feb 28 22:12:53 2011 Return-Path: X-Original-To: abfab@core3.amsl.com Delivered-To: abfab@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F1DD3A6CB5 for ; Mon, 28 Feb 2011 22:12:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.566 X-Spam-Level: X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RxFYvz5Fwa17 for ; Mon, 28 Feb 2011 22:12:52 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 3D2593A6C9B for ; Mon, 28 Feb 2011 22:12:51 -0800 (PST) Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p216Dom3017747 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 1 Mar 2011 07:13:53 +0100 (CET) Message-ID: <4D6C8E9E.2040409@sunet.se> Date: Tue, 01 Mar 2011 07:13:50 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: abfab@ietf.org References: <4D6BFA27.2060400@sunet.se> <4D6C1A6B.9080706@sunet.se> In-Reply-To: <4D6C1A6B.9080706@sunet.se> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [abfab] Fwd: ABFAB - Requested sessions have been scheduled for IETF 80 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 06:12:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/28/2011 10:58 PM, Leif Johansson wrote: > On 02/28/2011 09:20 PM, Sam Hartman wrote: >> Is kitten still in Friday 1300-1400? If so, I think the abfab-kitten >> conflict is going to be fairly painful. > > I've sent message to the secretariat about the conflict. Lets see what > they come up with. > > For the record we did ask for two sessions but there seems to be some > problem with the scheduling tool that resulted in this confusion. > > Clearly we're not done yet :-( At this point it doesn't look good. There are serious objections to all alternatives that would give us a second slot. We may have to make do with a single slot after all. I expect to get the final word from the secretariat soon. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1sjpkACgkQ8Jx8FtbMZndcIQCbBI1LdHyubCmaFX931QbT58G4 KM0AoJtzCo1ccOK/xPipTZqJZpbbObDe =taLu -----END PGP SIGNATURE-----