From nobody Fri Jul 3 15:18:35 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C19641B3133 for ; Fri, 3 Jul 2015 15:18:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.039 X-Spam-Level: * X-Spam-Status: No, score=1.039 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj3DD78JYHZV for ; Fri, 3 Jul 2015 15:18:31 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5D91B3172 for ; Fri, 3 Jul 2015 15:18:30 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t63MISY6024204 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sat, 4 Jul 2015 00:18:28 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t63MIPTI021953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 4 Jul 2015 00:18:27 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1435961907; bh=3IHhw9AHgYwEpfVs5Hm5QugRd75LT07q1Mr88m8SWjc=; h=Date:From:To:Subject; b=hmbJStNprcGe8f2tskEJ+34c6ZOTB3nTumrUZUBQfjjtOqB1UlwsMryhhG8t6f4aO BGTXBsgvBvjiKmQo4oGNZgaioOLaqkTs7pss4YKoLyMU+uM/xTMYFB8rXcvwYeusy2 PZGPfIU3fSuB5tMPx1mGZZpYsMrpdSDAWLdwZjYM= X-Footer: c3VuZXQuc2U= Received: from [10.0.0.120] ([62.102.145.131]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Sat, 4 Jul 2015 00:18:23 +0200 Message-ID: <55970A2F.8070202@sunet.se> Date: Sat, 04 Jul 2015 00:18:23 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OLWisyx - 7cd55d69b5b2 - 20150704 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: [abfab] Prague X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2015 22:18:33 -0000 Folks, we got 1hr in Prague (Monday afternoon). Lets try to finish as much as possible. I suggest we forgo the usual presentations and focus on resolving outstanding issues for http://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/ Cheers Leif From nobody Mon Jul 6 03:01:01 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F91F1AC432 for ; Mon, 6 Jul 2015 03:00:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKjepEL5Ar2o for ; Mon, 6 Jul 2015 03:00:58 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 172EE1A9177 for ; Mon, 6 Jul 2015 03:00:58 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 7093520729; Mon, 6 Jul 2015 06:00:40 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thpWI4g-oDTp; Mon, 6 Jul 2015 06:00:39 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-65-96-232-173.hsd1.ma.comcast.net [65.96.232.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 6 Jul 2015 06:00:39 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 749E88866B; Mon, 6 Jul 2015 06:00:38 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <55970A2F.8070202@sunet.se> Date: Mon, 06 Jul 2015 06:00:38 -0400 In-Reply-To: <55970A2F.8070202@sunet.se> (Leif Johansson's message of "Sat, 04 Jul 2015 00:18:23 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Prague X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 10:00:59 -0000 I definitely would like to focus on aaa-saml. There's been some confusion within the authors and I think that we could use some help from the broader WG. --Sam From nobody Mon Jul 6 06:04:27 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AED21A1B72 for ; Mon, 6 Jul 2015 06:04:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrOM5EfwUiKD for ; Mon, 6 Jul 2015 06:04:23 -0700 (PDT) Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2EE11A1B8B for ; Mon, 6 Jul 2015 06:00:56 -0700 (PDT) Received: by laar3 with SMTP id r3so154110792laa.0 for ; Mon, 06 Jul 2015 06:00:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7PPP87NeDMTgoPoOKLB9wBvCP9Iy39+3uA7v98ShvWU=; b=BbNkED+e5i4yz6cPSdvVrvDZ0LfLvfIji2At70RoPeZ9rR8/P5tkID0XwGnPMl0/dZ tyM6eoJRfOp9Bd2t8TslvFofz7QGIPP07FVmedhDb4t9wR9bKWs0FgZYYS8gp87BvNh7 /TMStNy5UgYhz/G8yFUTtHR6SSGvMVFcrfBRyAFpPtn80aw+ZjbZn7XS5H/TXlVj13ci WxP4IMCPQdxFu5BJ7zbbeRYvQxg+h6fMPS/N5Z6xdcVKmY14IrGWtDvyU+6PqrtGJgnu Rr1I0ptt1+Vj6pEZPEFLbRZlF2AxmbIvG1H2Y3uYmX+Oe01uOZvQYvbpjsazw6PEDxT9 rW/g== X-Gm-Message-State: ALoCoQlvDw4oaEIqlZB821f0MwAAZ7xsJJsubJ3n/k+awpRJnVtGaiDRCdexLXEJvK3h9EO8U5k9 X-Received: by 10.112.125.166 with SMTP id mr6mr48663450lbb.83.1436187655149; Mon, 06 Jul 2015 06:00:55 -0700 (PDT) Received: from [109.105.104.246] (dhcp96.se-tug.nordu.net. [109.105.104.246]) by mx.google.com with ESMTPSA id j2sm4700083lam.45.2015.07.06.06.00.54 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jul 2015 06:00:54 -0700 (PDT) Message-ID: <559A7C05.8050801@mnt.se> Date: Mon, 06 Jul 2015 15:00:53 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <55970A2F.8070202@sunet.se> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [abfab] Prague X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 13:04:25 -0000 On 2015-07-06 12:00, Sam Hartman wrote: > I definitely would like to focus on aaa-saml. > There's been some confusion within the authors and I think that we could > use some help from the broader WG. Good. I'm going to drop an agenda that sais precisely that. From nobody Mon Jul 6 09:04:45 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B07BA1B2F57; Mon, 6 Jul 2015 09:04:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4UuMy5EQ1FZ; Mon, 6 Jul 2015 09:04:43 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 659131B2F44; Mon, 6 Jul 2015 09:04:43 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.0.4.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> Date: Mon, 06 Jul 2015 09:04:43 -0700 Archived-At: Cc: abfab@ietf.org Subject: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 16:04:44 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Application Bridging for Federated Access Beyond web Working Group of the IETF. Title : Application Bridging for Federated Access Beyond web (ABFAB) Usability and User Interface Considerations Author : Rhys Smith Filename : draft-ietf-abfab-usability-ui-considerations-02.txt Pages : 21 Date : 2015-07-06 Abstract: The real world use of ABFAB-based technologies requires that any identity that is to be used for authentication has to be configured on the ABFAB-enabled client device. Achieving this requires software on that device (either built into the operating system or a standalone utility) that will interact with the user, managing their identity information and identity-to-service mappings. All designers of software to fulfil this role will face the same set of challenges. This document aims to document these challenges with the aim of producing well-thought out UIs with some degree of consistency between implementations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-abfab-usability-ui-considerations/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-02 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-abfab-usability-ui-considerations-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Jul 6 09:10:31 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C36881B2F26 for ; Mon, 6 Jul 2015 09:10:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNDziETLE5_I for ; Mon, 6 Jul 2015 09:10:27 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 364661AD49F for ; Mon, 6 Jul 2015 09:10:27 -0700 (PDT) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0020.outbound.protection.outlook.com [213.199.154.20]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-26-woe7GCQUTje2lIIeNwmP9w-1 X-MC-Unique: woe7GCQUTje2lIIeNwmP9w-1 Received: from HE1PR07MB0811.eurprd07.prod.outlook.com (10.162.24.15) by HE1PR07MB0812.eurprd07.prod.outlook.com (10.162.24.150) with Microsoft SMTP Server (TLS) id 15.1.207.19; Mon, 6 Jul 2015 16:10:23 +0000 Received: from HE1PR07MB0811.eurprd07.prod.outlook.com ([10.162.24.15]) by HE1PR07MB0811.eurprd07.prod.outlook.com ([10.162.24.15]) with mapi id 15.01.0207.004; Mon, 6 Jul 2015 16:10:23 +0000 From: Rhys Smith To: "" Thread-Topic: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt Thread-Index: AQHQuAV+/E/ZgX/8A02YpZ3eHol0r53OnHoA Date: Mon, 6 Jul 2015 16:10:23 +0000 Message-ID: References: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> In-Reply-To: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.2098) authentication-results: ietf.org; dkim=none (message not signed) header.d=none; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [86.183.117.152] x-microsoft-exchange-diagnostics: 1; HE1PR07MB0812; 5:cF8nSIfOaGtQakLi9PLYfXYgGlrs8JEZab0myNvA8CczqPtuKTjlDD67dI/mYOA4hQouaW//zazr9/iWL6OMyfWhtoYqxznX8OFN1NjiwSDmHgHa+AP+X6efE5oRj08YIMR1XxjHyH2ZHhLPo1iIPQ==; 24:2i1rpjDnUlnIGwOqhgwuiFIGckxl5KjDIOwWdufU8yBN7P6sm1+gTDMcJ3hXYnxJphE3TNRzB4aqVeMNOLNthrrGZsR/vt9GN7FzT4WiPfQ=; 20:0mIfb7F5sJoTMveruye3NWQgeEtHSqId4FIWfZqCV/0Pz2TvFrevNkTX7FiPoSjeRgIuagugdNHfZ8z8mjPN2ZAgmhKC23Mv11jhvWP0n97mxjXa00IV0MCDbJ0I35vU27CfAoWjpk16aMNH8GUtCpLao9lb9Pej9urZ17Y2D3s= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR07MB0812; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:HE1PR07MB0812; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB0812; x-forefront-prvs: 06290ECA9D x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377424004)(53754006)(24454002)(51704005)(87936001)(66066001)(50986999)(19580405001)(19580395003)(83716003)(92566002)(74482002)(99936001)(76176999)(33656002)(106116001)(46102003)(2950100001)(86362001)(5001960100002)(122556002)(2900100001)(2656002)(107886002)(189998001)(40100003)(82746002)(50226001)(230783001)(102836002)(450100001)(36756003)(77096005)(15975445007)(62966003)(5002640100001)(77156002)(57306001)(110136002)(491001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0812; H:HE1PR07MB0811.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; boundary="Apple-Mail=_B75EEA06-67CC-4771-B1D1-244FEE1BED8E"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2015 16:10:23.8535 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0812 Archived-At: Subject: Re: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 16:10:31 -0000 --Apple-Mail=_B75EEA06-67CC-4771-B1D1-244FEE1BED8E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi all, I've updated the UI draft, finally. I think it=92s now complete. Have = written the security considerations section and the error handling = section (the last two that needed doing), and tidied up some other bits = and pieces. Would still welcome all feedback and some more comprehensive suggested = text for both of those (security considerations & error handling), but = if none is forthcoming then in the interests of getting this done and = dusted I think it=92s good to go. No more TODOs left in the document at = least :-) = https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-0= 2 Best, Rhys. -- Dr Rhys Smith Chief Technical Architect, Trust & Identity Jisc T: +44 (0) 1235 822145 M: +44 (0) 7968 087821 Skype: rhys-smith GPG: 0x4638C985 Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by = guarantee which is registered in England under Company No. 5747339, VAT = No. GB 197 0632 86. Jisc=92s registered office is: One Castlepark, Tower = Hill, Bristol, BS2 0JA. T 0203 697 5800. > On 6 Jul 2015, at 17:04, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Application Bridging for Federated = Access Beyond web Working Group of the IETF. >=20 > Title : Application Bridging for Federated Access = Beyond web (ABFAB) Usability and User Interface Considerations > Author : Rhys Smith > Filename : = draft-ietf-abfab-usability-ui-considerations-02.txt > Pages : 21 > Date : 2015-07-06 >=20 > Abstract: > The real world use of ABFAB-based technologies requires that any > identity that is to be used for authentication has to be configured > on the ABFAB-enabled client device. Achieving this requires = software > on that device (either built into the operating system or a > standalone utility) that will interact with the user, managing their > identity information and identity-to-service mappings. All = designers > of software to fulfil this role will face the same set of = challenges. > This document aims to document these challenges with the aim of > producing well-thought out UIs with some degree of consistency > between implementations. >=20 >=20 > The IETF datatracker status page for this draft is: > = https://datatracker.ietf.org/doc/draft-ietf-abfab-usability-ui-considerati= ons/ >=20 > There's also a htmlized version available at: > = https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-0= 2 >=20 > A diff from the previous version is available at: > = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-abfab-usability-ui-consider= ations-02 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab >=20 --Apple-Mail=_B75EEA06-67CC-4771-B1D1-244FEE1BED8E Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILojCCBZ8w ggSHoAMCAQICFDdbittYXdJlQ+xDC4cAUwx+EP2eMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNVBAYT AkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRp b24gQXV0aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTE0MDUzMDE4MTU0OVoXDTIxMDMxNzE4MzMzM1owaDELMAkGA1UEBhMCTkwxIDAeBgNV BAoTF1F1b1ZhZGlzIFRydXN0bGluayBCLlYuMTcwNQYDVQQDEy5RdW9WYWRpcyBFVSBJc3N1aW5n IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAlBRBbnMy0pZB34/kk8jnEovgphznCp1JvoZ1DDG/OaCusN1fgkglNJp/Evw+h59cobd/md2B Bc3d95yvERP9LEgWYIFxzkm4eqU7TARr926V06gX8T5+4EAusMApvT4rbcbQYaEpcC1HgKmEJd96 N3WHtXZdYmkW7y4bd1tJanTMdyudKmUwZKzlkCSNKzU0mV+AP1+DJzCtKiTzM4nBTPFjMrl73/AU f1m9hw7rblA226EEtyjMtfeEfN7zkuXqtXcVbWiQUjEdan8mBLz9miHPTjL0FvggDk/Oa94d6yEX 9pbVyjfjrRFbWzIOgeFo5yHUf0qA0TXdgHHGMjHt6aEX2fuAEWkvaEQ4Qi7l/2GvtH+S74ziOtEq 2JUtamrF434yYVXzYJLgmYtBXqg/WSazpyExXhNEsGsq6jAbqb4rQbNK7Vg4xux+JvaLPx/qPqpT QCHB3PAw9N1TSJ9XKLP8kyN5IME9A5ss9/8UIlLIHS76nZWQZ3GMcAKFr3C4ixaVrRVg55Vuqs3W 1GIxyGgyfjMgD1nclYXG831DZAMOdwE0zV4k8c0HrE4yGdOlN6nrEtCrtpguuyLYIs6JbHVcGkby 8NhOatTor2O5dP32FxeW3fVyjxeXmcBejHys/O+TMNY0EK7AfqALC6uKfpNaVd6OlKso3UiK+run T3UCAwEAAaOCASgwggEkMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMHEG CCsGAQUFBwEBBGUwYzAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNnbG9iYWwuY29t MDUGCCsGAQUFBzAChilodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhLmNydDAO BgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAUi0tt7dMpuQYZ7Dk5qfCXhGrL798wOAYDVR0fBDEw LzAtoCugKYYnaHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZyY2EuY3JsMB0GA1UdDgQW BBRCqOm7Hqee0exyCLFux9EparVQwDANBgkqhkiG9w0BAQsFAAOCAQEAZajTI1M89DmOH/tGsTZE 3Naw+CVX2B0j8LvFG9jEUkTYz6Dsw8LfEb+Uid5ifBhC8zjXLH5UhYDBbjExzL3tDoFoXru1SgbS 7fwO0ZpdrbP04ej28itV8NZQ1ubk5yuX5hbacGZxaN9/yD05YOMmWsgpcZNwfx+vJRdb27d/uiSm CZEroXUV5P51/M3OTFzUcgLAwWTuerzTAZKHxaIyqRtBr+g6P2GkMKh4A8rh/8nDQ5OpnSnwbclu /8FAXA3T6cMBfOR5WSoOFjjFcTsRl0gfUH1RdkPZBmMcBwWghbbxAXAVVV7TVPSNvL4lOcHu+vrE VA8o5Nx+AjMoGd81njCCBfswggPjoAMCAQICFARL9j0DOV38SSjd4CRpIEm77dE3MA0GCSqGSIb3 DQEBCwUAMGgxCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjE3 MDUGA1UEAxMuUXVvVmFkaXMgRVUgSXNzdWluZyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMzAe Fw0xNTA0MDkxNDU5MzhaFw0xNzA0MDkxNDU5MzNaMIGAMQswCQYDVQQGEwJHQjENMAsGA1UEChME SmlzYzEaMBgGA1UECxMRSmlzYyBUZWNobm9sb2dpZXMxCzAJBgNVBAwTAkRyMRMwEQYDVQQDEwpS aHlzIFNtaXRoMSQwIgYJKoZIhvcNAQkBFhVyaHlzLnNtaXRoQGppc2MuYWMudWswggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHm7qYQRmq3Qj0kPNsbm8+YtNqIfIYUKnoHbpcxg1CJEZl Zotk256MHGC2xDm7F8ZLxfs0JHDb3VWNDo/nO9hicMgVA8GUiWLRRBYc0JQ0iHNim1sBcU3EpeTx lBUVyHfKOXRiYsLs8LRBAMKP1FZf1Nn2pYQyrIQCIo46oIDq1O6CyqClFz1zL1jjr0MORWLlqLPk QzSLbFx+LmR8rWiJRVZ7FvniwWqmRzsHQaVdNVPrwWVvSaNbfMrFjtee1PfbnGMUz1j7ANe8y44L vyrNhlMOGgcdsTmX7cJUZjJOrgLNHrq+XCfQ7qq2jTgUjjnhEkHiShOew5szo4I/hb1xAgMBAAGj ggGCMIIBfjB0BggrBgEFBQcBAQRoMGYwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlz Z2xvYmFsLmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL3RydXN0LnF1b3ZhZGlzZ2xvYmFsLmNvbS9x dmV1Y2FnMy5jcnQwTgYDVR0gBEcwRTBDBgkrBgEEAb5YAWQwNjA0BggrBgEFBQcCARYoaHR0cDov L3d3dy5xdW92YWRpc2dsb2JhbC5jb20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBeAwKQYDVR0l BCIwIAYKKwYBBAGCNxQCAgYIKwYBBQUHAwIGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFEKo6bsep57R 7HIIsW7H0SlqtVDAMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwu Y29tL3F2ZXVjYWczLmNybDAdBgNVHQ4EFgQUJOGvTZ4bAe/TgVUqyQErKBReRaUwDQYJKoZIhvcN AQELBQADggIBAGRiINJ5pj97yEtcYniWa39Y8aUmV7Md15GC8EndU+yKeaLucuhbexaanIOlvu2X koyPuHq6OgKaKFr1AkAnO6kkdZKlGhLZImrUeqtPKxAPb3uxFQc5kIvtwdDnmbujwJ2h6NHifDmM ab1PlyMwDGJJvMudhM1Wzvy6iFMFbXw1ZjUhoroAXcS+3HEPFebzgIcRcrgz7zZ9W6UkB0d9SzSy dSIWI0bdp8o1yzgcYxqC9pLkBVQsFYM2xt9M//u20QegSVICwJC02oWGtPTc/zZOpER5OZ6dkbTa zcCJoxs1akO87smjAtC4Ab4O/QT7QZ2WZTQ9CvQ5o3z7nUDZS/0GBiKOjcnxMhr5EZpvluq2k1/k uIY3upFBqheCOicvk/AiWvRASatdPysA/iIPJt2KArAjw2mndTse6ahSMP5l5PXPrcPHf4LASM3L U4r7PFOP0ix8GVr3Yz1oMmN55B57sb466tBycTG2CUMT72kc7X7ewB4tNC666MiqlivRx6qztO3L oJEHTVCvrwWUp8vzcSiuuzNFg9yj4sG0nqDY6Dcr5Dt3hFPS622Akd5NrsI8nhmfv4pukxYiC9KF 6LL4kIbR5jY27J5BiZ53/9wGEYAEvZ9rH90dJRlJ9ncdNciDHH8h0jyHmOwFA7wrEMtz2nC7MS+d IuVV7TzmBLgXMYIDMzCCAy8CAQEwgYAwaDELMAkGA1UEBhMCTkwxIDAeBgNVBAoTF1F1b1ZhZGlz IFRydXN0bGluayBCLlYuMTcwNQYDVQQDEy5RdW9WYWRpcyBFVSBJc3N1aW5nIENlcnRpZmljYXRp b24gQXV0aG9yaXR5IEczAhQES/Y9Azld/Eko3eAkaSBJu+3RNzAJBgUrDgMCGgUAoIIBhzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA3MDYxNjEwMjNaMCMGCSqG SIb3DQEJBDEWBBReY4redSZmyYA+3RBp2kCzWJTGtjCBkQYJKwYBBAGCNxAEMYGDMIGAMGgxCzAJ BgNVBAYTAk5MMSAwHgYDVQQKExdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjE3MDUGA1UEAxMuUXVv VmFkaXMgRVUgSXNzdWluZyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMwIUBEv2PQM5XfxJKN3g JGkgSbvt0TcwgZMGCyqGSIb3DQEJEAILMYGDoIGAMGgxCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdR dW9WYWRpcyBUcnVzdGxpbmsgQi5WLjE3MDUGA1UEAxMuUXVvVmFkaXMgRVUgSXNzdWluZyBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eSBHMwIUBEv2PQM5XfxJKN3gJGkgSbvt0TcwDQYJKoZIhvcNAQEB BQAEggEAwclkMFckhwukIV2Wa8L8mtpYX4tFRjNYr5IHFgn/BXy8J6iDSZCn0bahbKBxVZVjTeW6 I2CP6UuQE+/boAaWVySCE01GEjdN7Kqh48ndFQ6R6NbIpUL+SUQTmfNB8A2C9uHcRHYfP5Of5ubz 3xQXvRL4w0an7yqlKyyOA2BP6pchB93jYHTNQrLdKaDlbwNmsDgejhJvdrC85a8q/Ekfgd9Kp/Pg X0Np4QQv+3P9gMDSiusgkYaUhh/q9Q1RQ+nNhYG1NkxbjLM1xA9zgQHUCYCupMRwDbcHskxk5gO+ nznLnuzJkiWQW94CDf5O+TOQfcbzvXCufLBh4xhZpSdu/AAAAAAAAA== --Apple-Mail=_B75EEA06-67CC-4771-B1D1-244FEE1BED8E-- From nobody Mon Jul 6 12:05:59 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43C11B3014 for ; Mon, 6 Jul 2015 12:05:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.249 X-Spam-Level: * X-Spam-Status: No, score=1.249 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAt7MGV1h6-7 for ; Mon, 6 Jul 2015 12:05:54 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FC6A1B2FEE for ; Mon, 6 Jul 2015 12:05:53 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t66J5p61003586 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Jul 2015 21:05:51 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t66J5lGV027468 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Jul 2015 21:05:50 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1436209551; bh=PTrD86wjEJpocqYIiVMF/ccaO/rCWt0i6CCCwkoYa18=; h=Date:From:To:Subject:References:In-Reply-To; b=ByB+Elpt2di1xLIF9GvCXY/KN2LK1idIglaePjunDyyS3bSaTwsTvVhjt5C/NEA0a FvWmz3Yol6DGxItAbtiyLEdIVComgG+jxZjjldZAJyWiVIYSt4Bqpj2iK3c0MzO/La o2DkWU1HXfEw72KLExIrHI57/BM3QX1amrEVfsi0= X-Footer: c3VuZXQuc2U= Received: from [10.0.0.120] ([62.102.145.131]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)); Mon, 6 Jul 2015 21:05:46 +0200 Message-ID: <559AD18A.9050209@sunet.se> Date: Mon, 06 Jul 2015 21:05:46 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org, "kjk@internet2.edu" , "Karen O'Donoghue" References: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09ON75PtK - b5e27724066f - 20150706 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 19:05:57 -0000 On 2015-07-06 18:10, Rhys Smith wrote: > Hi all, > > I've updated the UI draft, finally. I think it’s now complete. Have written the security considerations section and the error handling section (the last two that needed doing), and tidied up some other bits and pieces. > > Would still welcome all feedback and some more comprehensive suggested text for both of those (security considerations & error handling), but if none is forthcoming then in the interests of getting this done and dusted I think it’s good to go. No more TODOs left in the document at least :-) > > https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-02 Thx - I have a record of Ken volunteering to do a review of this once it was updated. If you two (and others) could do a review we could move to WGLC this. Cheers Leif From nobody Mon Jul 6 16:35:39 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEEA11A19FA for ; Mon, 6 Jul 2015 16:35:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.302 X-Spam-Level: X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QF04jEcPcgc for ; Mon, 6 Jul 2015 16:35:34 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67B0B1A00FF for ; Mon, 6 Jul 2015 16:35:34 -0700 (PDT) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0019.outbound.protection.outlook.com [213.199.154.19]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-8-pn-qVGOdTn-LuxoDk0-CUg-1 Received: from AM2PR07MB0898.eurprd07.prod.outlook.com (10.161.71.19) by AM2PR07MB0900.eurprd07.prod.outlook.com (10.161.71.21) with Microsoft SMTP Server (TLS) id 15.1.207.19; Mon, 6 Jul 2015 23:35:31 +0000 Received: from AM2PR07MB0898.eurprd07.prod.outlook.com ([10.161.71.19]) by AM2PR07MB0898.eurprd07.prod.outlook.com ([10.161.71.19]) with mapi id 15.01.0207.004; Mon, 6 Jul 2015 23:35:30 +0000 From: Stefan Paetow To: "abfab@ietf.org" Thread-Topic: Credential forwarding/delegation in ABFAB Thread-Index: AQHQuERyrwjjXuq7kEeFyzjv3F3NHQ== Date: Mon, 6 Jul 2015 23:35:30 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [109.176.225.93] x-microsoft-exchange-diagnostics: 1; AM2PR07MB0900; 5:KQjOwHGYVpoBCP+TSpRmM6OmqTlhRCe6yjQ/BztP04oFtxCdPJCoGA0LrPMNk8ptl4BMEbRTgDFRSCDqwu1LSWy328RdoJtvvME7N9fUa5NkzZgGwoneNWrFIpJxMMi+SPen7HZuCEfpO6zTM3b+Pg==; 24:my4ElGtYRkYbEHWY/mlmfwJ59hjsdBwpxm/DYsCWVkdCM/jLtOg0KNwSQip0TC3hewRApRfVt4O09t35wlKGwV98fyKpt9n+cPl1/xOIKoQ=; 20:sITr1sTTd/4uy+jd4xYrcpz2JOz/R0aOqLlTBKJzfhEK2Cqc01/6diKL4sXso7b05renA3cs6Z6Q2cHzFp3dCtrp6xmXKl9qiyGEvkKfM8Uzv98jzc07B69x/M6y6tN/4y1xK3aUX8Il1bqt4V/SLJ8+BbjJfyyJ94pnCNl+Sik= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM2PR07MB0900; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:AM2PR07MB0900; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0900; x-forefront-prvs: 06290ECA9D x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(53754006)(40100003)(229853001)(62966003)(450100001)(74482002)(46102003)(77156002)(86362001)(19580395003)(122556002)(2351001)(15975445007)(2656002)(54356999)(50986999)(2900100001)(77096005)(102836002)(19580405001)(87936001)(189998001)(5002640100001)(107886002)(66066001)(36756003)(92566002)(106116001)(2501003)(5001920100001)(5001960100002)(110136002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM2PR07MB0900; H:AM2PR07MB0898.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-ID: <4EAA20D4239DC34BA53BE43E48121CCC@eurprd07.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2015 23:35:30.7203 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR07MB0900 X-MC-Unique: pn-qVGOdTn-LuxoDk0-CUg-1 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: [abfab] Credential forwarding/delegation in ABFAB X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 23:35:38 -0000 Hi all,=20 I've submitted a new draft for ABFAB. This one's about credential forwarding/delegation because it's been something that's been raised by several of our pilot infrastructures who raised concerns that ABFAB doesn't support it. I raised this on the Moonshot community list and had some interested parties (Daniel Kouril and Gabriel Lopez), so I think it's worth discussing...=20 Be gentle. It's my first draft: https://datatracker.ietf.org/doc/draft-paetow-abfab-credential-forward-dele gate/ It's currently marked as informational, but I suspect that'll change as it evolves. Thank you very much! Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc=B9s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. From nobody Tue Jul 7 01:33:04 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E121A6F05 for ; Tue, 7 Jul 2015 01:33:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.012 X-Spam-Level: X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkh7D05Y2-pe for ; Tue, 7 Jul 2015 01:33:01 -0700 (PDT) Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id C6C271A21AA for ; Tue, 7 Jul 2015 01:33:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 480853FD10 for ; Tue, 7 Jul 2015 10:32:59 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon21.um.es Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id twQ3ienLBud9 for ; Tue, 7 Jul 2015 10:32:59 +0200 (CEST) Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon21.um.es (Postfix) with ESMTPSA id 1682D3F839 for ; Tue, 7 Jul 2015 10:32:58 +0200 (CEST) To: abfab@ietf.org References: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> <559AD18A.9050209@sunet.se> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <559B8EB9.3080806@um.es> Date: Tue, 7 Jul 2015 10:32:57 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <559AD18A.9050209@sunet.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 08:33:03 -0000 El 06/07/15 a las 21:05, Leif Johansson escribió: > On 2015-07-06 18:10, Rhys Smith wrote: >> Hi all, >> >> I've updated the UI draft, finally. I think it’s now complete. Have written the security considerations section and the error handling section (the last two that needed doing), and tidied up some other bits and pieces. >> >> Would still welcome all feedback and some more comprehensive suggested text for both of those (security considerations & error handling), but if none is forthcoming then in the interests of getting this done and dusted I think it’s good to go. No more TODOs left in the document at least :-) >> >> https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-02 > Thx - I have a record of Ken volunteering to do a review of this once it > was updated. > > If you two (and others) could do a review we could move to WGLC this. I'll do a review as well. Regards, Alejandro > > Cheers Leif > > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Tue Jul 7 05:07:44 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C64D31AC3BC for ; Tue, 7 Jul 2015 05:07:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.36 X-Spam-Level: X-Spam-Status: No, score=-1.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, MIME_BASE64_BLANKS=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeA15FZJEU9z for ; Tue, 7 Jul 2015 05:07:42 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73BA1AC3B5 for ; Tue, 7 Jul 2015 05:07:41 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t67C7d2M013780 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 7 Jul 2015 14:07:39 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t67C7ZCV013912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Jul 2015 14:07:38 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1436270858; bh=ue15CrZRMIcF0Mu0Aw3avfRmvjn4bgXsu/lhlixEd7Y=; h=From:Subject:Date:References:To:In-Reply-To:Cc; b=PzsjdgyY55jXr4eXe5ej8j/23RX72eyb/sac6fZNQmyjgKt+9Xx3NfPJUsbkakpPW FKU+XW7PLhETCFp/OTuPClvlrzTZj2GbCu8aHWJYfacShfF3ftg9n7kziy/4rfz43j anCvGCkwrRkWb/Udkk8rVIwVI2sW4BIurXDL9nMw= X-Footer: c3VuZXQuc2U= Received: from [2.64.218.125] ([2.64.218.125]) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1); Tue, 7 Jul 2015 14:07:34 +0200 From: "Leif Johansson" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Mime-Version: 1.0 (1.0) Message-Id: <0A256D73-F5BC-4334-8FB0-328D20B72F11@sunet.se> Date: Tue, 7 Jul 2015 14:07:34 +0200 References: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> <559AD18A.9050209@sunet.se> <559B8EB9.3080806@um.es> To: =?utf-8?Q?Alejandro_P=C3=A9rez_M=C3=A9ndez?= In-Reply-To: <559B8EB9.3080806@um.es> X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09ONo7Dfp - 4337726dde4d - 20150707 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 12:07:44 -0000 DQoNCj4gNyBqdWwgMjAxNSBrbC4gMTA6MzMgc2tyZXYgQWxlamFuZHJvIFDDqXJleiBNw6luZGV6 IDxhbGV4QHVtLmVzPjoNCj4gDQo+IA0KPiANCj4+IEVsIDA2LzA3LzE1IGEgbGFzIDIxOjA1LCBM ZWlmIEpvaGFuc3NvbiBlc2NyaWJpw7M6DQo+Pj4gT24gMjAxNS0wNy0wNiAxODoxMCwgUmh5cyBT bWl0aCB3cm90ZToNCj4+PiBIaSBhbGwsDQo+Pj4gDQo+Pj4gSSd2ZSB1cGRhdGVkIHRoZSBVSSBk cmFmdCwgZmluYWxseS4gSSB0aGluayBpdOKAmXMgbm93IGNvbXBsZXRlLiBIYXZlIHdyaXR0ZW4g dGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gYW5kIHRoZSBlcnJvciBoYW5kbGlu ZyBzZWN0aW9uICh0aGUgbGFzdCB0d28gdGhhdCBuZWVkZWQgZG9pbmcpLCBhbmQgdGlkaWVkIHVw IHNvbWUgb3RoZXIgYml0cyBhbmQgcGllY2VzLg0KPj4+IA0KPj4+IFdvdWxkIHN0aWxsIHdlbGNv bWUgYWxsIGZlZWRiYWNrIGFuZCBzb21lIG1vcmUgY29tcHJlaGVuc2l2ZSBzdWdnZXN0ZWQgdGV4 dCBmb3IgYm90aCBvZiB0aG9zZSAoc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgJiBlcnJvciBoYW5k bGluZyksIGJ1dCBpZiBub25lIGlzIGZvcnRoY29taW5nIHRoZW4gaW4gdGhlIGludGVyZXN0cyBv ZiBnZXR0aW5nIHRoaXMgZG9uZSBhbmQgZHVzdGVkIEkgdGhpbmsgaXTigJlzIGdvb2QgdG8gZ28u IE5vIG1vcmUgVE9ET3MgbGVmdCBpbiB0aGUgZG9jdW1lbnQgYXQgbGVhc3QgOi0pDQo+Pj4gDQo+ Pj4gaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtYWJmYWItdXNhYmlsaXR5 LXVpLWNvbnNpZGVyYXRpb25zLTAyDQo+PiBUaHggLSBJIGhhdmUgYSByZWNvcmQgb2YgS2VuIHZv bHVudGVlcmluZyB0byBkbyBhIHJldmlldyBvZiB0aGlzIG9uY2UgaXQNCj4+IHdhcyB1cGRhdGVk Lg0KPj4gDQo+PiBJZiB5b3UgdHdvIChhbmQgb3RoZXJzKSBjb3VsZCBkbyBhIHJldmlldyB3ZSBj b3VsZCBtb3ZlIHRvIFdHTEMgdGhpcy4NCj4gDQo+IEknbGwgZG8gYSByZXZpZXcgYXMgd2VsbC4N Cj4gDQoNCnRoeCENCg0KPiBSZWdhcmRzLA0KPiBBbGVqYW5kcm8NCj4gDQo+PiANCj4+ICAgIENo ZWVycyBMZWlmDQo+PiANCj4+IA0KPj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18NCj4+IGFiZmFiIG1haWxpbmcgbGlzdA0KPj4gYWJmYWJAaWV0Zi5vcmcN Cj4+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYWJmYWINCj4gDQo+IF9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IGFiZmFiIG1h aWxpbmcgbGlzdA0KPiBhYmZhYkBpZXRmLm9yZw0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL2FiZmFiDQo= From nobody Tue Jul 7 07:38:18 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF56D1ACC86 for ; Tue, 7 Jul 2015 07:38:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.302 X-Spam-Level: X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQKrzKiEca2X for ; Tue, 7 Jul 2015 07:38:15 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B07AB1AC435 for ; Tue, 7 Jul 2015 07:38:09 -0700 (PDT) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0013.outbound.protection.outlook.com [213.199.154.13]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-37-x15eXLYfSVW_w2gXtxDLXw-1 Received: from HE1PR07MB0796.eurprd07.prod.outlook.com (10.162.24.147) by HE1PR07MB0796.eurprd07.prod.outlook.com (10.162.24.147) with Microsoft SMTP Server (TLS) id 15.1.201.16; Tue, 7 Jul 2015 14:38:06 +0000 Received: from HE1PR07MB0796.eurprd07.prod.outlook.com ([10.162.24.147]) by HE1PR07MB0796.eurprd07.prod.outlook.com ([10.162.24.147]) with mapi id 15.01.0201.000; Tue, 7 Jul 2015 14:38:06 +0000 From: Adam Bishop To: "abfab@ietf.org" Thread-Topic: Ephemeral Keying Thread-Index: AQHQuMKJnT/VQSqCZ0eTWiUoBH3BWQ== Date: Tue, 7 Jul 2015 14:38:05 +0000 Message-ID: <2C598F21-3DA8-4C51-8330-A9EE17FA49B0@jisc.ac.uk> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.2102) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [212.219.210.245] x-microsoft-exchange-diagnostics: 1; HE1PR07MB0796; 5:hJOJsEXwTnaViyqrD1r8dNK7EfHBf3JFNL3STQsGIJdRQ4JRVljl9SqnYrfUCteixZMD2Tb26OIqRmVFR8oK7JIPG2HKzmMgMjVeVHbCsam6afpVGNmjUQQEluVZkos7x1E2lU0zt56uvivTJlLXCg==; 24:wTpK2sjc7iMdbtW70RFHKLwWf6VEboF4Rdeb4QplJEugxM4twO66WR6LIpyJLm0jLmxPBMLJi/lhNJcqdA2pTyGVjfnE7jyx+H0xUHUeZ/E=; 20:xbcmr5wrKoH1jvYAYdq4icFhxVUa7k1L0elPF973iMWs31pZIIAR00xrh4Zpu7lpbe2tsUA/8ITZwZEMq44oLUiqDkJMXMjlIQdERwwoHzC8j1SDqRVYmk84dJoS+hnD859jcNCXDWJKoyZbBq78ovBlT4e+P2ALRTbQaIiKEoA= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR07MB0796; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:HE1PR07MB0796; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB0796; x-forefront-prvs: 0630013541 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(62966003)(92566002)(33656002)(122556002)(77096005)(2351001)(40100003)(87936001)(83716003)(77156002)(2656002)(450100001)(19580405001)(50226001)(107886002)(110136002)(5001960100002)(46102003)(74482002)(189998001)(106116001)(66066001)(102836002)(2900100001)(5002640100001)(2501003)(229853001)(82746002)(19580395003)(86362001)(57306001)(36756003)(221733001)(50986999)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0796; H:HE1PR07MB0796.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-ID: MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2015 14:38:05.8443 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0796 X-MC-Unique: x15eXLYfSVW_w2gXtxDLXw-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: [abfab] Ephemeral Keying X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 14:38:17 -0000 Apologies for sending this so close to the meeting; I neglected to keep my = list details up to date so I think my first message was bounced. Things seem to have gone a little quiet around the ephemeral keying draft t= hat Linus started. There was a -01 with a few updates but I can't find any record of it being = presented or discussed. I'm happy to spend some time working on this draft if the working group bel= ieves it would be worthwhile. Regards, Adam Bishop Systems Development Specialist gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guar= antee which is registered in England under Company No. 5747339, VAT No. GB = 197 0632 86. Jisc=E2=80=99s registered office is: One Castlepark, Tower Hil= l, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limit= ed by guarantee which is registered in England under company number 2881024= , VAT number GB 197 0632 86. The registered office is: One Castle Park, Tow= er Hill, Bristol BS2 0JA. T 0203 697 5800. =20 From nobody Wed Jul 8 08:19:51 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C781A0041 for ; Wed, 8 Jul 2015 08:19:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk0FdhvzbNzD for ; Wed, 8 Jul 2015 08:19:48 -0700 (PDT) Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com [209.85.217.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E631A0045 for ; Wed, 8 Jul 2015 08:19:38 -0700 (PDT) Received: by lbzd8 with SMTP id d8so12953162lbz.0 for ; Wed, 08 Jul 2015 08:19:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=A1hhsChtHqEa80Glq9zV1eDhE/oqCLh2kjugvVRQRmk=; b=ExuAX2YyB4QcOfBZ02ZavtP5Beht0pNQrBR+Z9iunJ3+DwS6RBn5hlxZO3q+Bk6GaI DZDcFhn4oLqudzmm9XeLlcdFnFgcn44vwIyzsmQGImJDcIeJzJXhu9L2WaP3vs9zkKA1 eeoa3wf/6rrhs52H0i+Pzu02uBoKPJenD62CJctaC2J8dxjZXkcbrJ9+BV6mcRyNENyR 70DogQIPm+jBxIh9N7nSKSCL4R8qVVdiZQJ8rQ+34TxF9rPwqGUQP8rRsvkPKRSJcDdh EfIBCJXF1fsuCBa6pFtKG8KgPlaXJ28Nq8lVARRT1CPisSM/5MBuGWoNQR7H+98lh9e9 Y1HA== X-Gm-Message-State: ALoCoQnk3Y3juD5VNaiuhreCafsRxaWCB1IRwkEtdPAOOa+P9J/gki7ENnuVXmANpLORadHdw0vE X-Received: by 10.112.55.70 with SMTP id q6mr9016959lbp.99.1436368776981; Wed, 08 Jul 2015 08:19:36 -0700 (PDT) Received: from [10.0.0.120] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by smtp.googlemail.com with ESMTPSA id x4sm612618lag.40.2015.07.08.08.19.36 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2015 08:19:36 -0700 (PDT) Message-ID: <559D3F88.8050205@mnt.se> Date: Wed, 08 Jul 2015 17:19:36 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: [abfab] agenda for Prague X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 15:19:50 -0000 As promised - a very focused agenda: https://datatracker.ietf.org/meeting/93/agenda/abfab Cheers Leif From nobody Wed Jul 8 12:28:16 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D39B1A1BC2 for ; Wed, 8 Jul 2015 12:28:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.238 X-Spam-Level: X-Spam-Status: No, score=0.238 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjCVrH1s7Txr for ; Wed, 8 Jul 2015 12:28:08 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42C7C1A1B6D for ; Wed, 8 Jul 2015 12:28:08 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t68JS5rk009702 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 8 Jul 2015 21:28:06 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t68JS2j6026099 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 8 Jul 2015 21:28:05 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1436383685; bh=eFrRJaMbEyDZCAztTcdh6kV99CFU5nDiPJptse0atio=; h=Date:From:To:Subject:References:In-Reply-To; b=nqO7N6p7uqEsTKW3inJz/bBR5mjkSTMkGRphfUW6UzPf3+avU34a4j3dQmJxSksth lVeL4PyqnwpotYrG/Qnp48ElNPiFOIP4avNMy7+8qX/Z7z8IuruqK/x9PYQaVfppnM saQlPJZMRJECHRFB6lXMASPsTKzjmvCr1at4BmoA= X-Footer: c3VuZXQuc2U= Received: from [10.0.0.120] ([62.102.145.131]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 8 Jul 2015 21:28:01 +0200 Message-ID: <559D79C1.2060309@sunet.se> Date: Wed, 08 Jul 2015 21:28:01 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <2C598F21-3DA8-4C51-8330-A9EE17FA49B0@jisc.ac.uk> In-Reply-To: <2C598F21-3DA8-4C51-8330-A9EE17FA49B0@jisc.ac.uk> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09ONTs6e2 - 06f40601deff - 20150708 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Ephemeral Keying X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 19:28:15 -0000 On 2015-07-07 16:38, Adam Bishop wrote: > Apologies for sending this so close to the meeting; I neglected to keep my list details up to date so I think my first message was bounced. > > Things seem to have gone a little quiet around the ephemeral keying draft that Linus started. > > There was a -01 with a few updates but I can't find any record of it being presented or discussed. > > I'm happy to spend some time working on this draft if the working group believes it would be worthwhile. > We don't have a lot of time during the f2f in Prague but lets try to cover this in the open mic, ok? > Regards, > > Adam Bishop > Systems Development Specialist > > gpg: 0x6609D460 > t: +44 (0)1235 822 245 > xmpp: adamb@jabber.dev.ja.net > > jisc.ac.uk > > Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. > > Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab > From nobody Tue Jul 14 05:35:45 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3FDE1A90FF for ; Tue, 14 Jul 2015 05:35:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.039 X-Spam-Level: * X-Spam-Status: No, score=1.039 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CtHj_1ndaVi for ; Tue, 14 Jul 2015 05:35:42 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA2FD1A90E6 for ; Tue, 14 Jul 2015 05:35:41 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6ECZcMW015181 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 14 Jul 2015 14:35:39 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6ECZZLX016495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 14 Jul 2015 14:35:38 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1436877338; bh=c66Cth+jgp3V/kcIw2EAf6loJThxeGlwaxZ8oKc1ZtI=; h=Date:From:To:Subject:References:In-Reply-To; b=z7fKepcgA5tPj6ow2nY1tZzQ3BcpLNvR4MJxKVw/us7JstT8KfhLFkf7cYbwJIRy2 NwajufXXwqNpkMUf4LFuScy6RNasRII/TFghH1VJvmLAJRVWUGty+NeSCAYyA50aYy VofbuZ9ZL83RadNLU+QwE9WhyJfnUTHN+4eWDhyE= X-Footer: c3VuZXQuc2U= Received: from [172.20.10.4] ([2.65.45.109]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Tue, 14 Jul 2015 14:35:33 +0200 Message-ID: <55A50214.3080500@sunet.se> Date: Tue, 14 Jul 2015 14:35:32 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: In-Reply-To: X-Forwarded-Message-Id: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OQczDRq - 82f3bd4d0935 - 20150714 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: [abfab] Fwd: feedback on usability draft for abfab X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 12:35:44 -0000 I got this review from Ken Klingenstein of Internet2 and am reposting it with his permission. Cheers Leif -------- Forwarded Message -------- Subject: feedback on usability draft for abfab Date: Mon, 13 Jul 2015 15:45:53 +0000 From: Ken Klingenstein To: Leif Johansson , Rhys Smith Gents, Looked it over. Pretty complete. Just one or two comments. Sec 3 talks only of authentication and identity. Are there any use cases where a user will want some degree of privacy and want to release attributes (maybe packaged as a "pseudo-identity") to allow privacy-preserving authentication with authorization to use the service conveyed in the attributes released? Could the SSH keys be associated with such a pseudo-identity? Sec 6.1 recommends storing the password reset URL for an IdP. I would assume it won't be a particularly volatile URL, but it may change. Is it advisable to include it then? Having the help desk URL (presumably even less volatile) would allow a user to traverse to the password location. There is a security considerations section, but no privacy considerations section. Not sure if that is required now in IETF drafts, but it would be a worthy addition to this doc given its identity orientation. It might address the points about Section 3 mentioned above. That's it. Maybe the long grind is done. Good luck and enjoy Prague. Ken From nobody Tue Jul 14 07:27:48 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E02461ACDCF for ; Tue, 14 Jul 2015 07:27:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaKkibG54o1F for ; Tue, 14 Jul 2015 07:27:45 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BE3A1ACDC1 for ; Tue, 14 Jul 2015 07:27:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 49A6B20718; Tue, 14 Jul 2015 10:27:39 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W803iVsBemCS; Tue, 14 Jul 2015 10:27:39 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 14 Jul 2015 10:27:39 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8D6EE8864D; Tue, 14 Jul 2015 10:27:43 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <55A50214.3080500@sunet.se> Date: Tue, 14 Jul 2015 10:27:43 -0400 In-Reply-To: <55A50214.3080500@sunet.se> (Leif Johansson's message of "Tue, 14 Jul 2015 14:35:32 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Fwd: feedback on usability draft for abfab X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 14:27:47 -0000 So, we definitely have use cases where we use privacy-preserving identities similar to eduPersonTargetedID, so that's certainly doable. From nobody Wed Jul 15 02:11:10 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E7A1A00C1 for ; Wed, 15 Jul 2015 02:11:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.91 X-Spam-Level: X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utgde0yt3KrK for ; Wed, 15 Jul 2015 02:11:06 -0700 (PDT) Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id CD8011A00BE for ; Wed, 15 Jul 2015 02:11:05 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id E00AF6CAB for ; Wed, 15 Jul 2015 11:11:03 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon22.um.es Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ALlEHWyPPkfA for ; Wed, 15 Jul 2015 11:11:03 +0200 (CEST) Received: from [155.54.204.2] (alex.inf.um.es [155.54.204.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex@um.es) by xenon22.um.es (Postfix) with ESMTPSA id C7519B38 for ; Wed, 15 Jul 2015 11:11:03 +0200 (CEST) To: abfab@ietf.org References: <20150706160443.4310.17823.idtracker@ietfa.amsl.com> <559AD18A.9050209@sunet.se> <559B8EB9.3080806@um.es> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55A623A7.2040507@um.es> Date: Wed, 15 Jul 2015 11:11:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <559B8EB9.3080806@um.es> Content-Type: multipart/alternative; boundary="------------040203090509030602040600" Archived-At: Subject: Re: [abfab] I-D Action: draft-ietf-abfab-usability-ui-considerations-02.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 09:11:09 -0000 This is a multi-part message in MIME format. --------------040203090509030602040600 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Hi, here is my review of draft-ietf-abfab-usability-ui-considerations-02.txt. In general, I've found no difficulties reading it, as it is very clear and complete. I have only a few minor comments some nits: * Section 5.1: s/internet/Internet * Section 5.1: A reference to Microsoft Cardspace would be nice. * Section 6: s/will need to managed/will need to manage * Section 6.1: s/user to authenticate themselves/users to authenticate themselves * Section 7: Does user-driven manual association take precedence over automated one? E.g.: when the user decides that a particular IMAP server will use ID2 instead of the rule "all IMAP servers will use ID1". If so, it might be useful to state it somewhere. * Section 11 and 12: Should these sections be moved to the end of the document, right before references section? * Section 13: A reference to DANE would be nice. Regards, Alejandro El 07/07/15 a las 10:32, Alejandro Pérez Méndez escribió: > > > El 06/07/15 a las 21:05, Leif Johansson escribió: >> On 2015-07-06 18:10, Rhys Smith wrote: >>> Hi all, >>> >>> I've updated the UI draft, finally. I think it’s now complete. Have >>> written the security considerations section and the error handling >>> section (the last two that needed doing), and tidied up some other >>> bits and pieces. >>> >>> Would still welcome all feedback and some more comprehensive >>> suggested text for both of those (security considerations & error >>> handling), but if none is forthcoming then in the interests of >>> getting this done and dusted I think it’s good to go. No more TODOs >>> left in the document at least :-) >>> >>> https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-02 >>> >> Thx - I have a record of Ken volunteering to do a review of this once it >> was updated. >> >> If you two (and others) could do a review we could move to WGLC this. > > I'll do a review as well. > > Regards, > Alejandro > >> >> Cheers Leif >> >> >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab --------------040203090509030602040600 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Hi,

here is my review of draft-ietf-abfab-usability-ui-considerations-02.txt.
In general, I've found no difficulties reading it, as it is very clear and complete. I have only a few minor comments some nits:
  • Section 5.1: s/internet/Internet
  • Section 5.1: A reference to Microsoft Cardspace would be nice.
  • Section 6: s/will need to managed/will need to manage
  • Section 6.1: s/user to authenticate themselves/users to authenticate themselves
  • Section 7: Does user-driven manual association take precedence over automated one? E.g.: when the user decides that a particular IMAP server will use ID2 instead of the rule "all IMAP servers will use ID1". If so, it might be useful to state it somewhere.
  • Section 11 and 12: Should these sections be moved to the end of the document, right before references section?
  • Section 13: A reference to DANE would be nice.

Regards,
Alejandro


El 07/07/15 a las 10:32, Alejandro Pérez Méndez escribió:


El 06/07/15 a las 21:05, Leif Johansson escribió:
On 2015-07-06 18:10, Rhys Smith wrote:
Hi all,

I've updated the UI draft, finally. I think it’s now complete. Have written the security considerations section and the error handling section (the last two that needed doing), and tidied up some other bits and pieces.

Would still welcome all feedback and some more comprehensive suggested text for both of those (security considerations & error handling), but if none is forthcoming then in the interests of getting this done and dusted I think it’s good to go. No more TODOs left in the document at least :-)

https://tools.ietf.org/html/draft-ietf-abfab-usability-ui-considerations-02
Thx - I have a record of Ken volunteering to do a review of this once it
was updated.

If you two (and others) could do a review we could move to WGLC this.

I'll do a review as well.

Regards,
Alejandro


    Cheers Leif


_______________________________________________
abfab mailing list
abfab@ietf.org
https://www.ietf.org/mailman/listinfo/abfab

_______________________________________________
abfab mailing list
abfab@ietf.org
https://www.ietf.org/mailman/listinfo/abfab

--------------040203090509030602040600-- From nobody Mon Jul 20 01:43:48 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A724A1A1A76 for ; Mon, 20 Jul 2015 01:43:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCVe1u6HJOkY for ; Mon, 20 Jul 2015 01:43:45 -0700 (PDT) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26D31A1A64 for ; Mon, 20 Jul 2015 01:43:44 -0700 (PDT) Received: by wibxm9 with SMTP id xm9so85393435wib.0 for ; Mon, 20 Jul 2015 01:43:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=afyhB+YUiMhE1okwFzBWp3jnRum1UW425iqGk01FY9E=; b=MWgIDtWDHLVX+5s8mv+NW+5Oa+BJVnpXZho3Owj9HFznwhg04zAgY1lPKw5pBeqpc9 67UO8AnXGqlnoZfdcAdhGZC72XogETs/UUIKSV3JAFvLtfvPr3/AxeqgNMDxTQwgWlk9 Vs0sB2AI3nfhvaNvuaSyUDvaeiBf9BrixgPFjtG4hDZIO7QvHwgB7ReAHAlDH29kT7bK uXKOejIVZ9sPP0zujxbMmt5Os4MqN3C4+Z0xENnF2qLcsZMCOkQ39LAEUejU3jRt1wK7 DvrBttkxr7cWtC+onic4yJFUh0JGE7SM+fRpK9VNZogpeECbNG9VFJeexGdO3LC6mL25 9whw== X-Gm-Message-State: ALoCoQmGCt6n9Eh2twtNFDd6S4A42yPvEUZFJNE1NQChE+J31KV3gfsUkaHuaQ+AeArV0bdZ8UNf X-Received: by 10.194.86.130 with SMTP id p2mr51033302wjz.99.1437381823430; Mon, 20 Jul 2015 01:43:43 -0700 (PDT) Received: from ?IPv6:2001:67c:370:152:76da:38ff:fe3a:15dd? ([2001:67c:370:152:76da:38ff:fe3a:15dd]) by smtp.googlemail.com with ESMTPSA id jz4sm30896414wjb.16.2015.07.20.01.43.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Jul 2015 01:43:42 -0700 (PDT) Message-ID: <55ACB4BD.9060102@mnt.se> Date: Mon, 20 Jul 2015 10:43:41 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: [abfab] slides for the meetings later today X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 08:43:47 -0000 If anyone wants to show any slides at the meeting in Prague, please send them to me asap. Cheers Leif From nobody Mon Jul 20 05:28:20 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFF71A8033 for ; Mon, 20 Jul 2015 05:28:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBKx532SnP3n for ; Mon, 20 Jul 2015 05:28:15 -0700 (PDT) Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id 55BE81A8032 for ; Mon, 20 Jul 2015 05:28:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id AD6952B36 for ; Mon, 20 Jul 2015 14:28:13 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon22.um.es Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id nyclP7NPAlTi for ; Mon, 20 Jul 2015 14:28:13 +0200 (CEST) Received: from [192.168.20.112] (186.160.broadband14.iol.cz [90.181.160.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon22.um.es (Postfix) with ESMTPSA id 6B2B82B1E for ; Mon, 20 Jul 2015 14:28:12 +0200 (CEST) To: "abfab@ietf.org" References: <55ACB4BD.9060102@mnt.se> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55ACE95C.1060506@um.es> Date: Mon, 20 Jul 2015 14:28:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <55ACB4BD.9060102@mnt.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] slides for the meetings later today X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 12:28:19 -0000 Hi, one of the key issues we have with draft-ietf-abfab-aaa-saml is the binding/mapping between SAML names and AAA names. I have a proposal, consisting on the definition of two new RoleDescriptor subtypes: RADIUSIDPDescriptor and RADIUSIDPDescriptor, and the definition of a way to represent AAA names as URIs. You can find the complete text for the proposal at the end of this mail. Regards, Alejandro 4.3.3. Mapping of AAA names in SAML metadata This section defines the extensions to the SAML metadata specification [OASIS.saml-metadata-2.0-os] that are required in order to represent AAA names associated to a particular element. In SAML metadata, each single entity may act in many different roles in the support of multiple profiles. This document defines two new roles: RADIUS IDP and RADIUS RP, requiring the declaration of two new subtypes of RoleDescriptorType: RADIUSIDPDescriptor and RADIUSRPDescriptor. 4.3.3.1. The element extends RoleDescriptorType with with elements common to IdPs that support RADIUS, and contains the following additional elements: [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. The Binding attribute MUST be set to "urn:ietf:params:abfab:bindings:radius", whereas the ResponseLocation attribute MUST be omitted. The following schema fragment defines the element and its RADIUSIDPDescriptorType complex type: Figure 3: RADIUSIDPDescriptor schema 4.3.3.2. The element extends RoleDescriptorType with with elements common to RPs that support RADIUS, and contains the following additional elements: [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. The Binding attribute MUST be set to "urn:ietf:params:abfab:bindings:radius", whereas the ResponseLocation attribute MUST be omitted. The following schema fragment defines the element and its RADIUSRPDescriptorType complex type: Figure 4: RADIUSRPDescriptor schema 4.3.4. URI representation of RADIUS names The Location attribute of the RADIUSIDPService and RADIUSRPService EndPointTypes is defined as a URI. However, RADIUS does not identify the peers using this format, but based on the values of a set of RADIUS attributes. This section describes how the value of these attributes can be represented into the URI form. 4.3.4.1. Representation of RP name [RFC2865] defines the NAS-IP-Address and NAS-Identifier attributes, that are used to provide simplistic information about the RP's identity. In particular, while the former provides information about the RP's IP address, the latter provides a textual identifier for the RP. However, for some deployments this information is not enough, and more descriptive one is required. For instance, this is the case of ABFAB and its GSS-EAP mechanism (RFC 7055), where a set of four attributes are used to convey the RP's full name information. This section provides a URI representation for these three identifiers, although the ABFAB one is preferred whenever the required RADIUS attributes are available: o "radius:rp:nas-ip-address:{ip_address}", where {ip_address} is the textual representation of the IP address to be matched with the value of the NAS-IP-Address RADIUS attribute. o "radius:rp:nas-identifier:{identifier}", where {identifier} is the textual value to be matched with the value of the NAS-Identifier RADIUS attribute. o "radius:rp:gss-eap:{identifier}", where {identifier} is the textual value resulting after reconstructing the acceptor service name after the reception of the GSS-Acceptor-Service-Name, GSS- Acceptor-Host-Name, GSS-Acceptor-Service-Specifics, and GSS- Acceptor-Realm-Name RADIUS attributes, as described in section 3.4 of [RFC7055]. Note that this representation might require the use of the "percent-encoding" to incorporate the required "/" and "@" into the {identifier} value. 4.3.4.2. Representation of IDP name In RADIUS there is not an attribute used for identifying the IDP. However, for the binding and profiles described in this document, it is assumed that the realm part of the user's NAI uniquely names the IDP. This realm can be extracted from the User-Name RADIUS attribute at any moment of the authentication process. Therefore, The proposed URI representation for the IDP would be: o "radius:idp:{realm}", where {realm} is the textual value to be matched with the realm of the user's NAI. 4.3.5. Example of SAML metadata The following examples illustrate how to define metadata on both sides, RP and IDP. The RP SAML name is "https://RelyingParty.com/ SAML", while its ABFAB name is "nfs/fileserver.rp.com@rp.com". The IDP SAML name is "https://IdentityProvider.com/", while its RADIUS realm is "idp.com". Figure 5: Metadata on the RP Figure 6: Metadata on the IDP El 20/07/15 a las 10:43, Leif Johansson escribió: > If anyone wants to show any slides at the meeting in Prague, please send > them to me asap. > > Cheers Leif > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Mon Jul 20 06:30:09 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD85D1A882F for ; Mon, 20 Jul 2015 06:30:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.01 X-Spam-Level: X-Spam-Status: No, score=-1.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xeqiT1rZSkF2 for ; Mon, 20 Jul 2015 06:30:07 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31DC91A87AD for ; Mon, 20 Jul 2015 06:30:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id A6BE920755; Mon, 20 Jul 2015 09:29:46 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXxii34QLwGA; Mon, 20 Jul 2015 09:29:46 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-8970.meeting.ietf.org [31.133.137.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 20 Jul 2015 09:29:46 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 2EF9088672; Mon, 20 Jul 2015 09:30:04 -0400 (EDT) From: Sam Hartman To: Alejandro =?utf-8?B?UMOpcmV6IE3DqW5kZXo=?= References: <55ACB4BD.9060102@mnt.se> <55ACE95C.1060506@um.es> Date: Mon, 20 Jul 2015 09:30:04 -0400 In-Reply-To: <55ACE95C.1060506@um.es> ("Alejandro =?utf-8?Q?P=C3=A9rez_M?= =?utf-8?Q?=C3=A9ndez=22's?= message of "Mon, 20 Jul 2015 14:28:12 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] slides for the meetings later today X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 13:30:07 -0000 In general, I like this approach. However, I'm a bit concerned because to get this approach standardized in the IETF, we,ll need to register a radius URI scheme, which will probably involve a lot more discussion than we'd like. Let's discussi n the session whether we can avoid that URI registration. Everything else looks good about this though. From nobody Mon Jul 20 07:04:40 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE5A1A88EC for ; Mon, 20 Jul 2015 07:04:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.061 X-Spam-Level: X-Spam-Status: No, score=-1.061 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdddaVSl9Pet for ; Mon, 20 Jul 2015 07:04:36 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B8CD1A88E9 for ; Mon, 20 Jul 2015 07:04:35 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6KE4XrU005621 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 20 Jul 2015 16:04:33 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6KE4UVs016547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 20 Jul 2015 16:04:32 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437401072; bh=ORWPHQgFRTl0IAOxT5KnM/jg9gQCtPk3rh6eZNmPRmA=; h=Date:From:To:Subject:References:In-Reply-To; b=0tLJiZRWQbh9yEEhpQXQC4p+bWSc+ZRrdYXomKXCiHExVsaaJSAE072JIlB+nEsmH lBzlGQpYyn8AlOXHIFeSF3KfHdHZn+0LV+ey5NXsdO1f7WnoeALrp7LzBjB97YoMbO 7wu8/jDNAPH4VG2c5hlEkRATr+zexUpQPbZPIvZk= X-Footer: c3VuZXQuc2U= Received: from [31.133.155.173] ([31.133.155.173]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Mon, 20 Jul 2015 16:04:30 +0200 Message-ID: <55ACFFED.2010708@sunet.se> Date: Mon, 20 Jul 2015 16:04:29 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <55ACB4BD.9060102@mnt.se> <55ACE95C.1060506@um.es> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OSC4xEg - 9512a6ff609f - 20150720 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] slides for the meetings later today X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 14:04:38 -0000 On 2015-07-20 15:30, Sam Hartman wrote: > In general, I like this approach. However, I'm a bit concerned because > to get this approach standardized in the IETF, we,ll need to register a > radius URI scheme, which will probably involve a lot more discussion > than we'd like. > > Let's discussi n the session whether we can avoid that URI registration. > Everything else looks good about this though. Agree. From nobody Mon Jul 20 07:12:20 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558C61A8902 for ; Mon, 20 Jul 2015 07:12:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.311 X-Spam-Level: X-Spam-Status: No, score=-3.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N55hVGNatqk3 for ; Mon, 20 Jul 2015 07:12:17 -0700 (PDT) Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id 2312A1A88A1 for ; Mon, 20 Jul 2015 07:12:17 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id 7897CF4 for ; Mon, 20 Jul 2015 16:12:13 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon22.um.es Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8hGl5gAbsoIG for ; Mon, 20 Jul 2015 16:12:13 +0200 (CEST) Received: from [192.168.20.112] (186.160.broadband14.iol.cz [90.181.160.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon22.um.es (Postfix) with ESMTPSA id 382F576 for ; Mon, 20 Jul 2015 16:12:12 +0200 (CEST) To: abfab@ietf.org References: <55ACB4BD.9060102@mnt.se> <55ACE95C.1060506@um.es> <55ACFFED.2010708@sunet.se> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55AD01B0.104@um.es> Date: Mon, 20 Jul 2015 16:12:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <55ACFFED.2010708@sunet.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [abfab] slides for the meetings later today X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 14:12:19 -0000 > On 2015-07-20 15:30, Sam Hartman wrote: >> In general, I like this approach. However, I'm a bit concerned because >> to get this approach standardized in the IETF, we,ll need to register a >> radius URI scheme, which will probably involve a lot more discussion >> than we'd like. >> >> Let's discussi n the session whether we can avoid that URI registration. >> Everything else looks good about this though. > Agree. That'd be fine to me. The URI scheme I used is just an example of what I wanted to achieve. Maybe using a different and known prefix (such as urn:ietf:params:abfab:endpoints:) we could avoid it. > > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Tue Jul 21 04:06:14 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7151A00A8 for ; Tue, 21 Jul 2015 04:06:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3F-pRpU9yVM for ; Tue, 21 Jul 2015 04:06:11 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85C491A009F for ; Tue, 21 Jul 2015 04:06:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id EC77C2074F for ; Tue, 21 Jul 2015 07:05:47 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4D8zOksXbOin for ; Tue, 21 Jul 2015 07:05:47 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-9886.meeting.ietf.org [31.133.152.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for ; Tue, 21 Jul 2015 07:05:47 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 21CD482120; Tue, 21 Jul 2015 07:06:08 -0400 (EDT) From: Sam Hartman To: abfab@ietf.org Date: Tue, 21 Jul 2015 07:06:08 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: [abfab] draft-ietf-abfab-usability-considerations review X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 11:06:13 -0000 Section 3 and 6. Trust anchor is described as either being the trust anchor for a service or identity provider. In section 6 the document talks about trust anchors for servers. IN the scope of this document we only care about trust anchors for identity provider. I recommend narrowing the definition in section 3 and using more specific terminology in section 6. Section 6.1 The biggest reason we don't want to store multiple identities with a the same NAI is that by passing in a NAI to gss_acquire_creds the application can force the choice of a given NAI. Section 8: Section 8 implies that the identity selector will be in a position to decide what errors to present to the user. I don't think that's very likely to be true. The GSS application is likely to decide what errors to present to the user. The identity selector is in a position to decide what if any automated actions to take based on the error. Section 8/9 should discuss the success but useless case. That is, I am successfully authenticated and an app layer connection is accepted, but I don't have the permissions I need. Think about the case where I was hoping to be a moonshot management portal admin, but end up being a random user. I was hoping to create an organisation but all I can do is create communities. I'm not sure if it is an error or a success. I think section 8 and 9 could also do a better job of clarifying what it means for errors to be reported at different layers. For example in SASL, authorization failures will probably not come back as a GSS error, but instead either as a dropped connection or as an app-level error. --Sam From nobody Tue Jul 21 09:38:08 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6934C1B2FCE for ; Tue, 21 Jul 2015 09:38:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcx5tMFMUwOq for ; Tue, 21 Jul 2015 09:38:05 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE041B2F9B for ; Tue, 21 Jul 2015 09:38:05 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 4D9F420758 for ; Tue, 21 Jul 2015 12:37:41 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTCHzzoCrFbW for ; Tue, 21 Jul 2015 12:37:40 -0400 (EDT) Received: from [31.133.137.132] (dhcp-8984.meeting.ietf.org [31.133.137.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: mark@mail.suchdamage.org) by mail.painless-security.com (Postfix) with ESMTPSA for ; Tue, 21 Jul 2015 12:37:40 -0400 (EDT) To: abfab@ietf.org From: Mark Donnelly X-Enigmail-Draft-Status: N1110 Message-ID: <55AE7563.8080505@painless-security.com> Date: Tue, 21 Jul 2015 18:37:55 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [abfab] Comments on draft-ietf-abfab-usability-ui-considerations-02 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 16:38:07 -0000 Hey all: My comments on draft-ietf-abfab-usability-ui-considerations-02 follow below. Cheers, --Mark Section 3: * The paragraph on identity says: ---------------------------------------------------------------- Note that in other contexts the usual use of "identity" would match our use of "user", whereas the usual use of "identifier" matches our use of identity ---------------------------------------------------------------- If other contexts use the terms differently than this document, why not match those contexts? Wouldn't that be less confusing? * Trust Anchor + This isn't a complete sentence: ---------------------------------------------------------------- Typically a commercial CA to allow authentication via chain of trust, or a preconfigured non-commercial certificate (e.g. self-signed). ---------------------------------------------------------------- + Does the identity selector deal with trust anchors for services at all? If so, then this should be addressed in section 6.1, where no mention is made of storing the service's trust identity. Section 4: * another downside of using the OS credentials for identity is that precludes the idea of authenticating oneself to the OS using ABFAB. Section 5.1: * The second paragraph reads: -------------------------------------------------------------------- Implementers may wish to keep such abstract concepts, or may wish to examine attempts to map to real world paradigms, e.g. the idea of using "Identity Cards" that are held in the user's "Wallet", as used by Microsoft Cardspace. -------------------------------------------------------------------- The first half of that sentence seems to be missing a word, such as, "... keep such abstract concepts *hidden*..." Section 5.3: Why does this section belong under section 5? Section 6.1: * The explanation of why the identity selector MUST NOT store different identities that use the same NAI doesn't make a lot of sense to me. I agree that duplicating the data would be bad in a data-normalization sense, but I don't see why you're saying that it would be dysfunctional as an IETF consideration. * "Credential" is defined here, but probably deserves an entry in section 3's terminology list. * Further, I think that saying, "the identity selector SHOULD store the credential" isn't descriptive of what we want to happen. A better phrasing would be that, "the identity selector SHOULD allow a user to store the credential. However, it MUST NOT store the credentials without confirmation from the user." * The trust identity that the selector stores is that of the Identity Provider, right? This isn't at all clear from this definition. Section 6.2: * Why is secure storage a SHOULD instead of a MUST? I'd be happy to declare that selectors with world-readable storage are not following this standard. * Also, you might want to mention the Windows Credentials Manager. Section 6.3: * Maybe call the process of putting a new ID in the selector "assertion"? (feel free to ignore this one if you don't like it) Section 6.3.2: * Why force users to enter an NAI into a website before downloading a trust anchor? Why not give an option of downloading a trust anchor without any user information, and having the identity selector prompt the user for all missing bits of required information at import time? This would prevent people who are eavesdropping on the website from learning user identities. Section 6.4.1: * The document should list restrictions on modification of trust anchors. For instance, manual modification of a trust anchor probably doesn't make any sense. Semi-automated (re-do a leap of faith or something of the sort) modification of it might make sense, but needs to warn the user that their basis for trusting the system is changing. Enterprise change pushes probably don't need any notifications. Section 6.5: * Wouldn't it be possible for the desktop to attempt a validation of the password? For instance, could there be a standard service - say, "identitymanager" - put in place for every client installation. Then a user could attempt to authenticate to it, and determine if the password is incorrect. Heck, maybe that service could be the process that writes the credential to the permanent store. Section 7.1.1, point 1: Doesn't this point contradict section 7.1? Section 7.1.2: * The implication here is that rules based association exists solely for enterprise-provisioned identities. Why would that be restricted? * Also, this is missing a period at the end of the sentence. Section 7.2: * What kind of authentication failure causes my local client to dissociate? Section 7.5: * The identity selector could: + Display OS notifications (Windows system tray, Mac growler, Gnome notifications) when an identity is used - especially when the identity is used without any user prompt. + Keep a history of identity / service usage to display in the identity selector application windows * Could a list of open identity / service mappings be maintained? Could it be added to during GSS_INIT_SEC_CONTEXT, GSS_ACCEPT_SEC_CONTEXT, or GSS_IMPORT_SEC_CONTEXT, and removed whenever the context goes away, either at expiration or as part of GSS_DELETE_SEC_CONTEXT or GSS_EXPORT_SEC_CONTEXT? This would at least provide a user with a short list. Conceptual: * The trust anchors belong to the IDP realms, right? Wouldn't it make sense to have two identities within the same realm share a trust anchor? The document details service to identity mappings, but identity to trust anchor mappings might merit attention too. * One of the problems with error handling is that applications have the responsibility to handle errors, but not all of them do this well. Would it make sense to hook into GSS_INIT_SEC_CONTEXT and the like, and record any errors, so that the identity selector can maintain a list of recently encountered errors? This could be correlated with the services and identities to show the error log for this service or this service/identity combination. - This does get outside of the idea of an "identity selector", however. From nobody Wed Jul 22 02:33:48 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC1C1AC3E8 for ; Wed, 22 Jul 2015 02:33:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSozMcBWRjhe for ; Wed, 22 Jul 2015 02:33:46 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36CB31AC3E9 for ; Wed, 22 Jul 2015 02:33:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 5C8612075A; Wed, 22 Jul 2015 05:33:21 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkMqT8xjNu4c; Wed, 22 Jul 2015 05:33:20 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 05:33:20 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 81C0982120; Wed, 22 Jul 2015 05:33:43 -0400 (EDT) From: Sam Hartman To: Mark Donnelly References: <55AE7563.8080505@painless-security.com> Date: Wed, 22 Jul 2015 05:33:43 -0400 In-Reply-To: <55AE7563.8080505@painless-security.com> (Mark Donnelly's message of "Tue, 21 Jul 2015 18:37:55 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Comments on draft-ietf-abfab-usability-ui-considerations-02 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 09:33:48 -0000 >>>>> "Mark" == Mark Donnelly writes: Mark> Conceptual: * The trust anchors belong to the IDP realms, Mark> right? Wouldn't it make sense to have two identities within Mark> the same realm share a trust anchor? The document details Mark> service to identity mappings, but identity to trust anchor Mark> mappings might merit attention too. * This is a *really* good idea. Mark> One of the problems Mark> with error handling is that applications have the Mark> responsibility to handle errors, but not all of them do this Mark> well. Would it make sense to hook into GSS_INIT_SEC_CONTEXT Mark> and the like, and record any errors, so that the identity Mark> selector can maintain a list of recently encountered errors? Mark> This could be correlated with the services and identities to Mark> show the error log for this service or this service/identity Mark> combination. - This does get outside of the idea of an Mark> "identity selector", however. I agree that more discussion of this would be valuable. It only catches some of the errors. In particular, it doesn't handle the unintended success case I discussed in my comments. I don't know how much more energy we have for this document. One of the things we discussed when we first started this effort was whether we wanted to document desired enhancements to GSS. Tracking errors at the init_sec_context level plus some routine for applications to signal that there had been an app-level authorization problem would probably give better error handling experiences. [on to specific comments] Mark> Note that in other contexts the usual use of "identity" would Mark> match our use of "user", whereas the usual use of "identifier" Mark> matches our use of identity Mark> ---------------------------------------------------------------- Mark> If other contexts use the terms differently than this Mark> document, why not match those contexts? Wouldn't that be less Mark> confusing? * Trust Anchor + This isn't a complete sentence: Mark> ---------------------------------------------------------------- I think that at least for identity vs identifier the other contexts are almost entirely outside of the IETF. It's complicated now because a bunch of those folks have started hanging around OAUTH/JOSE/CBOR. However, I think the general point you're making applies and should be considered. Mark> Section 6.3.2: * Why force users to enter an NAI into a Mark> website before downloading a trust anchor? Why not give an Mark> option of downloading a trust anchor without any user Mark> information, and having the identity selector prompt the user Mark> for all missing bits of required information at import time? Mark> This would prevent people who are eavesdropping on the website Mark> from learning user identities. Presumably such a website would be https. However, I think this is one of many cases where Rhys described what our identity selector does, and I think you've done a good job of identifying places where the document could be more general. I definitely appreciate that work. Mark> Section 6.4.1: * The document should list restrictions on Mark> modification of trust anchors. For instance, manual Mark> modification of a trust anchor probably doesn't make any Mark> sense. Semi-automated (re-do a leap of faith or something of Mark> the sort) modification of it might make sense, but needs to Mark> warn the user that their basis for trusting the system is Mark> changing. Enterprise change pushes probably don't need any Mark> notifications. It's sad that the IETF has not come up with general advice on updating leap-of-faith trust anchors yet as the problem pops up in several protocols. To my knowledge though we have no such general advice so I agree with Mark that we should think about it here. Mark> Section 6.5: * Wouldn't it be possible for the desktop to Mark> attempt a validation of the password? For instance, could Mark> there be a standard service - say, "identitymanager" - put in Mark> place for every client installation. Then a user could Mark> attempt to authenticate to it, and determine if the password Mark> is incorrect. Heck, maybe that service could be the process Mark> that writes the credential to the permanent store. Generally, the desktop does not have server credentials. It would be possible for each IDP realm to run such a service. I think calling that out as a area for future expansion would be good. Mark> Section 7.2: * What kind of authentication failure causes my Mark> local client to dissociate? Today none. Perhaps a RADIUS routing error to your IDP realm should? In section 7.5: Mark> * Could a list of open identity / service Mark> mappings be maintained? Could it be added to during Mark> GSS_INIT_SEC_CONTEXT, GSS_ACCEPT_SEC_CONTEXT, or Mark> GSS_IMPORT_SEC_CONTEXT, and removed whenever the context goes Mark> away, either at expiration or as part of Mark> GSS_DELETE_SEC_CONTEXT or GSS_EXPORT_SEC_CONTEXT? This would Mark> at least provide a user with a short list. I don't understand this. Are you saying that the selector could keep track of all the currently open contexts? One thing to consider is that there are a number of applications that delete their context immediately after successful authentication. But we definitely could keep a list of recently used identity/service mappings. I really wish we could get a UI consultant to explore this sort of thing. The ideas you proposed definitely belong in the spec. We've proposed similar concepts internally to UI consultants and never gotten useful feedback about which of them would actually be usable by our users. From nobody Wed Jul 22 02:56:24 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FCB51AC43B for ; Wed, 22 Jul 2015 02:56:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbAADTV8i0sn for ; Wed, 22 Jul 2015 02:56:22 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0B31AC43A for ; Wed, 22 Jul 2015 02:56:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 0EB0420759; Wed, 22 Jul 2015 05:55:56 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjftQ7Z8HvDU; Wed, 22 Jul 2015 05:55:55 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 05:55:55 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 83B0782120; Wed, 22 Jul 2015 05:56:18 -0400 (EDT) From: Sam Hartman To: abfab@ietf.org, josh.howlett@jisc.ac.uk Date: Wed, 22 Jul 2015 05:56:18 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 09:56:23 -0000 Leif, I wanted to write up my understanding of our proposed direction forward, just in case things take longer than we anticipate to implement. During the meeting Monday we discussed Alejandro's proposal. He proposes adding two new role descriptor subtypes: Radiusidpdescriptor and Radiusrpdescriptor. That seems great. He proposes adding a RadiusIdpService and RadiusRpService of EndpointType as well. In the meeting we discussed that we really aren't specifying an edpoint. In particular, the location of the service is implicit in this RADIUS binding. It's possible we might describe something in the future where we included radsec endpoints and keys in metadata, but that's not what we need now. However we also discovered that a role descriptor doesn't actually need any EndpointType subclasses. So, instead, Alejandro will create a different extension to rolldescriptor to include the naming information we need. This will allow us to avoid registering an unresolvable URI to describe the security name of a RADIUS entity. Have I accurately summarized what we discussed? If so, I'd like to solicit any comments from the list. --Sam From nobody Wed Jul 22 03:09:51 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBACA1AD0C8 for ; Wed, 22 Jul 2015 03:09:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEYJ7uF8myJc for ; Wed, 22 Jul 2015 03:09:47 -0700 (PDT) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 907431AD0A6 for ; Wed, 22 Jul 2015 03:09:47 -0700 (PDT) Received: by wicgb10 with SMTP id gb10so90842379wic.1 for ; Wed, 22 Jul 2015 03:09:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=vHTFUJOURMLDxEIUZB+XDeplvcFBOHjot+9fo7dG0tE=; b=ew5COe8b0e2gS/12OvyHlyMM38XGiCXq3Zk8l+2iP/ybuSYsaRqwH1o0euBZHVriep 3k5PbmfIKwP5jlFENLfJFO4j9pOdh1us6JCtNQD3dqUekpQjsAQvWHz9B+o5tL+FyDCb N6SeP6AraxzNfLQHlRr5iC8D8cC7gskNkhvpVj89ajvAYSozXAqbEDDXUSKZoD4j6VoH T+6rB0HhnnlJh8DmgReiXb7TLWNj9WdMNh7yJak3GmLgxJNi3mp2bW77mNQ0MRg3EdpP JZCY6qZdsTrn1rCroSZQPJLICk3okkjll9jRttD+LKO+I7vIj0oH2I5eSrqJP/2aizXh fPQA== X-Gm-Message-State: ALoCoQmhvyGpb79ujacM5p2jH7wLfXeXEgmX+vWlG3fzLq9DEYuo73yCnd3hu4wBlUnhQUri23p7 X-Received: by 10.194.23.167 with SMTP id n7mr3374705wjf.112.1437559786201; Wed, 22 Jul 2015 03:09:46 -0700 (PDT) Received: from [31.133.155.46] (dhcp-9b2e.meeting.ietf.org. [31.133.155.46]) by smtp.gmail.com with ESMTPSA id ft5sm21240032wib.4.2015.07.22.03.09.44 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 22 Jul 2015 03:09:45 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (12H143) In-Reply-To: Date: Wed, 22 Jul 2015 12:09:44 +0200 Content-Transfer-Encoding: 7bit Message-Id: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> References: To: Sam Hartman Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 10:09:51 -0000 > 22 jul 2015 kl. 11:56 skrev Sam Hartman : > > Leif, I wanted to write up my understanding of our proposed direction > forward, just in case things take longer than we anticipate to > implement. > > During the meeting Monday we discussed Alejandro's proposal. > > He proposes adding two new role descriptor subtypes: Radiusidpdescriptor > and Radiusrpdescriptor. > That seems great. > > He proposes adding a RadiusIdpService and RadiusRpService of > EndpointType as well. > > In the meeting we discussed that we really aren't specifying an > edpoint. In particular, the location of the service is implicit in this > RADIUS binding. It's possible we might describe something in the future > where we included radsec endpoints and keys in metadata, but that's not > what we need now. agree but it may be cheap/easy to include that upfront not critical though > > However we also discovered that a role descriptor doesn't actually need > any EndpointType subclasses. So, instead, Alejandro will create a > different extension to rolldescriptor to include the naming information > we need. > > This will allow us to avoid registering an unresolvable URI to describe > the security name of a RADIUS entity. > > Have I accurately summarized what we discussed? > If so, I'd like to solicit any comments from the list. > matches my recollection > --Sam > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Wed Jul 22 03:14:54 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 858301AD0CF for ; Wed, 22 Jul 2015 03:14:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEcfkFc08QEV for ; Wed, 22 Jul 2015 03:14:52 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104351AD0C8 for ; Wed, 22 Jul 2015 03:14:52 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 418562075A; Wed, 22 Jul 2015 06:14:26 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MfBF8AoATkz; Wed, 22 Jul 2015 06:14:25 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 06:14:25 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 6561288672; Wed, 22 Jul 2015 06:14:48 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> Date: Wed, 22 Jul 2015 06:14:48 -0400 In-Reply-To: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> (Leif Johansson's message of "Wed, 22 Jul 2015 12:09:44 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 10:14:53 -0000 >>>>> "Leif" == Leif Johansson writes: >> 22 jul 2015 kl. 11:56 skrev Sam Hartman >> : >> >> In the meeting we discussed that we really aren't specifying an >> edpoint. In particular, the location of the service is implicit >> in this RADIUS binding. It's possible we might describe >> something in the future where we included radsec endpoints and >> keys in metadata, but that's not what we need now. Leif> agree but it may be cheap/easy to include that upfront Doing the metadata specification would be cheap/easy. Describing semantics would I suspect be more difficult. We'd have to treat RADIUS as much less of a black box than we've done so far. From nobody Wed Jul 22 05:45:49 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9981A039F for ; Wed, 22 Jul 2015 05:45:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PARrjCS3aEdH for ; Wed, 22 Jul 2015 05:45:45 -0700 (PDT) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 526D21A1A87 for ; Wed, 22 Jul 2015 05:44:56 -0700 (PDT) Received: by wibud3 with SMTP id ud3so152500985wib.1 for ; Wed, 22 Jul 2015 05:44:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=uyXwz3blgk8TeNxzKb9d3wxJEFByDsYmXZv/qms/nCo=; b=NR5E9Nc8MlQ9qDqAL+U5afh14+99oH2BDct+Q3y/tmYCakAk8/eTVqkqBUv8W1Md1o VMyEBTc8j5YRtmB9KbeMz2zslUnYgQyzYa3DhTY9JbX7oapGSQfcRAnVrHz+Mn2SBWVh XGXVkKxQdmbk2GVUmAlu4fEZg5LMnyxmuBhTpsIOCZZedCl36yysJ211bzAIe+UyRk1a 7v8GjhfVZpytCeOoYSKuYGwZKtalhKxYMlYK11Cczwx9CJSZXdKL4EI4fK9NU+wQ19lr X/AAxqRtGZE5ispcxhqfcmET+1rIZR3IKWPZOdd4FGfXV/VMjGtl43hHsRj6zkVMJgoj 4y3Q== X-Gm-Message-State: ALoCoQmJe4JvNPqOnB5rSG9iYwIe2cN40odrLhBQ25MpTnRxD3Q6zcVEjO3bQEvY6Ok0PFoUncNr X-Received: by 10.180.107.138 with SMTP id hc10mr6291759wib.2.1437569095104; Wed, 22 Jul 2015 05:44:55 -0700 (PDT) Received: from ?IPv6:2001:67c:370:152:643d:bf30:502d:93c8? ([2001:67c:370:152:643d:bf30:502d:93c8]) by smtp.gmail.com with ESMTPSA id m4sm2233201wjb.37.2015.07.22.05.44.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jul 2015 05:44:54 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (12H143) In-Reply-To: Date: Wed, 22 Jul 2015 14:44:53 +0200 Content-Transfer-Encoding: 7bit Message-Id: <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> To: Sam Hartman Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 12:45:47 -0000 22 jul 2015 kl. 12:14 skrev Sam Hartman : >>>>>> "Leif" == Leif Johansson writes: > >>> 22 jul 2015 kl. 11:56 skrev Sam Hartman >>> : >>> >>> In the meeting we discussed that we really aren't specifying an >>> edpoint. In particular, the location of the service is implicit >>> in this RADIUS binding. It's possible we might describe >>> something in the future where we included radsec endpoints and >>> keys in metadata, but that's not what we need now. > > Leif> agree but it may be cheap/easy to include that upfront > > Doing the metadata specification would be cheap/easy. > Describing semantics would I suspect be more difficult. maybe... but lets think about it/try > We'd have to treat RADIUS as much less of a black box than we've done so > far. From nobody Wed Jul 22 06:08:14 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4B31B3356 for ; Wed, 22 Jul 2015 06:08:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvACnsZCChC0 for ; Wed, 22 Jul 2015 06:08:10 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FE451A1A82 for ; Wed, 22 Jul 2015 06:07:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 9B0E02075A; Wed, 22 Jul 2015 09:07:27 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdRUfVX5VDkW; Wed, 22 Jul 2015 09:07:27 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 09:07:26 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 843808867F; Wed, 22 Jul 2015 09:07:49 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> Date: Wed, 22 Jul 2015 09:07:49 -0400 In-Reply-To: <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> (Leif Johansson's message of "Wed, 22 Jul 2015 14:44:53 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 13:08:12 -0000 >>>>> "Leif" == Leif Johansson writes: Leif> 22 jul 2015 kl. 12:14 skrev Sam Hartman Leif> : >>>>>>> "Leif" == Leif Johansson writes: >> >>>> 22 jul 2015 kl. 11:56 skrev Sam Hartman >>>> : >>>> >>>> In the meeting we discussed that we really aren't specifying an >>>> edpoint. In particular, the location of the service is >>>> implicit in this RADIUS binding. It's possible we might >>>> describe something in the future where we included radsec >>>> endpoints and keys in metadata, but that's not what we need >>>> now. >> Leif> agree but it may be cheap/easy to include that upfront >> >> Doing the metadata specification would be cheap/easy. Describing >> semantics would I suspect be more difficult. Leif> maybe... but lets think about it/try I'm happy to review suggested text. I think you'd need to: 1) Explain how I figure out which entity I'm using for my RADIUS server 2) Explain how I validate the RADIUS server I'm talking to 3) Explain how the RADIUS server I'm talking to validates me. Consider this especially in a case where you're retrieving metadata dynamically rather than just having all the metadata in the world. --Sam From nobody Wed Jul 22 06:42:55 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E261A6FF1 for ; Wed, 22 Jul 2015 06:42:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCqObe-GFBoD for ; Wed, 22 Jul 2015 06:42:52 -0700 (PDT) Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id 9060B1A702D for ; Wed, 22 Jul 2015 06:42:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 28D28403C9 for ; Wed, 22 Jul 2015 15:42:43 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon21.um.es Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PzA+sqiRflcE for ; Wed, 22 Jul 2015 15:42:43 +0200 (CEST) Received: from [192.168.20.74] (186.160.broadband14.iol.cz [90.181.160.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon21.um.es (Postfix) with ESMTPSA id E0E8A403C7 for ; Wed, 22 Jul 2015 15:42:42 +0200 (CEST) To: abfab@ietf.org References: From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55AF9DD1.6060002@um.es> Date: Wed, 22 Jul 2015 15:42:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 13:42:55 -0000 Hi Sam, that's exactly what I extracted from the discussion in the session, thanks. Regards, Alejandro El 22/07/15 a las 11:56, Sam Hartman escribió: > Leif, I wanted to write up my understanding of our proposed direction > forward, just in case things take longer than we anticipate to > implement. > > During the meeting Monday we discussed Alejandro's proposal. > > He proposes adding two new role descriptor subtypes: Radiusidpdescriptor > and Radiusrpdescriptor. > That seems great. > > He proposes adding a RadiusIdpService and RadiusRpService of > EndpointType as well. > > In the meeting we discussed that we really aren't specifying an > edpoint. In particular, the location of the service is implicit in this > RADIUS binding. It's possible we might describe something in the future > where we included radsec endpoints and keys in metadata, but that's not > what we need now. > > However we also discovered that a role descriptor doesn't actually need > any EndpointType subclasses. So, instead, Alejandro will create a > different extension to rolldescriptor to include the naming information > we need. > > This will allow us to avoid registering an unresolvable URI to describe > the security name of a RADIUS entity. > > Have I accurately summarized what we discussed? > If so, I'd like to solicit any comments from the list. > > --Sam > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Wed Jul 22 07:25:14 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB3B1A8886 for ; Wed, 22 Jul 2015 07:25:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7c5Qe_iGGZK for ; Wed, 22 Jul 2015 07:25:07 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0118.outbound.protection.outlook.com [207.46.100.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B641A21C4 for ; Wed, 22 Jul 2015 07:25:07 -0700 (PDT) Received: from BL2FFO11FD036.protection.gbl (10.173.160.32) by BL2FFO11HUB015.protection.gbl (10.173.160.107) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 14:25:06 +0000 Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu; Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BL2FFO11FD036.mail.protection.outlook.com (10.173.161.132) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 14:25:05 +0000 Received: from CIO-KRC-HT04.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id 3067750006C; Wed, 22 Jul 2015 10:25:05 -0400 (EDT) Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT04.osuad.osu.edu ([fe80::2d93:5c00:ad4e:861d%10]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 10:25:04 -0400 From: "Cantor, Scott" To: Sam Hartman , Leif Johansson Thread-Topic: [abfab] Direction Forward for aaa-saml Thread-Index: AQHQxGSsqOsHJ1Kgwk2OrlaTR/AXL53nh1QA//++aH6AAGzxgP//w3wRgAAVdYA= Date: Wed, 22 Jul 2015 14:25:03 +0000 Message-ID: <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.179.164.143] Content-Type: text/plain; charset="utf-8" Content-ID: <43FE8F36E354924094037F2ECEF3E12D@osu.edu> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD036; 1:nlnenS5vKBFF6acgwSITYJb2zpkupaBYoWGKIkt+StleOiEALTyo54KgMioZkT3cUj83GxdEROIdfNmjK4o9UNGa51u2biknOPi9z40SWMD7Ane86o4z5skYFd3d4z62FR6XinKWvFKAIc9d4GP7UvKZyp6strsloEhVy4G3rVR1ZteYpRU+eYWzjLEr3aafxioBpraADVvBxaXhAYnByCiWrGNu6KJ6rAXsH18hGDXkNCgoW7RfYOXF897fnwR9Aaol1+kWkj7xJrwqThiV73R/0JMIVRPJkboz9jwy3ynpHjrqCJBgdRMS8FRHFKsbJhE6NTY7CQM1k9t5DJyhwZS1bglRNSpnGXra02cQpDqLJOYBC/OaIyLsv+9PEG4EaFu9HFYjJrXzKIRw1FLmDMYqVPGX5boNOZUd6DbvlpM= X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(24454002)(377454003)(199003)(479174004)(189002)(19580405001)(76176999)(46102003)(50986999)(106466001)(2950100001)(109096001)(106116001)(87936001)(102836002)(93346002)(189998001)(47776003)(23676002)(6806004)(36756003)(54356999)(2900100001)(77156002)(19580395003)(82746002)(86362001)(33656002)(5003600100002)(89122001)(5250100002)(2656002)(66066001)(90282001)(62966003)(50466002)(88552001)(92566002)(5001770100001)(75432002)(83716003)(93886004)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2FFO11HUB015; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 2:lcV7ZcpxPC3Yq6sBTxiD1Q5fgMoTF5bDQXC8CUn3ee9EuDXGGmzBMIs/3CWV1cKF; 3:blgUZmRuMZpE3tRyHMSOUN/9xVyIiQ1ab3UGsmM9YgRKlQA4x6IlDWYbQL8kV/8+nExOMXK11Ws0dnvebD8ZPXbW8qwA3heCn0qmEdzFs0UwAGmprTHAuvx0lmViBtg8KOFUSaKtW6TaojBzCoQ4spxlmQzAdBwuNtBTPeONC0jLLxdpt7AitY8rodDF9Px4dUEJxLbKBc9DcZhN2biO+N2RSVhURsmm2N+Gp4fhPae6x18jm1ujk6KUcO4bw0l/; 25:Amkiz2uT26MPXvE0itE5arYh+VakqAXhcIYvuKaORkFxHr1kjAsBTlSG27FQUQfhq3cBQz+aEVhyb75aE7txbxTtAM0JEBs96zknXkA2DI4aOLc82snQXa6iEiC6Je7345xF3bPLYD4A2aU/Z9AY+ZyR++KlHHdV3wti6BJJXw4grzchTd3lXE4DSnNdw+NcK+WdNDbk9DA3WY79LF53fxg50ntqXkC6ItrMwio1+jBoAEey7R3s7dsTxUHgypmNbSKcpLpR+fIRnq4IMOq8nQ== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2FFO11HUB015; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 20:CKDOFbF75187Q1sqR71C+8hq4kOQLH5mrVsGqat584armF+eqAXspvcMTABuwAQF7jbSW0ykUORbCuDyv8ZLUrCQNeAZL/aFrmRunbjMannKWvDvIAWQaG2dssIkeDJovjVmvH8PXogqpASi2gIx8aJaFaRU7ni8N05plnkMvGjbOuyecIfmJlt2o52Br0oaxOFsOSVPVXmmsO3pxdVEUAtc9hfoZruFNmfS+1qgIw/ISbp4TW0jeqpUARS1oQtAEbz9uTv5FYeDoqvbUXbB6B5Xtqhvu69HOtfTnLAEVO44AGP1IF8nP9KpjNg8RE2QlxFMk7Dv0+UiKdwaPKpqgee6X4BukbUX4/xGpWDtZKTR8qcTJ9g0eyuyxIFPK9ugWFJId0PUA9OrVF/RRk5R6EhBmcrcjmYtD8WsgES9GQNpn6LJ2Iqe3+7G6xiUW7c7Y9XJIg+LO5+zJAZYP+jhTGBQcW79ks8YmgwzzONNZIm++tV8PTgeOgRYAslxGT+H; 4:sxXVRX//87nxKpZ4zBsiodlw1Cc1eSQXRY4xFhn4bMv5Z16OrkvIyxpgY+WNGIedhlGrqrUwfXOT27o8QtYnoAPqlDDh8p8nNC9e8gk7CtNKMrlXZ2iN3J4H+JJjV24MoZGe2F/b9uj07K86YJYXFOqimldalswFZG2v8tuDbEXfs/uPw+XMryhch8/tU261iXL51E+H6uQFLL60SeAkjxtg4C7NXrj2lU4XajD2dG1Tp0PdG+CC8skmipRNza2ZLX10pPM2drQ9X1OoNAepgFSPLDJNxSM2PWIBXB6RgNY= BL2FFO11HUB015: X-MS-Exchange-Organization-RulesExecuted X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BL2FFO11HUB015; BCL:0; PCL:0; RULEID:; SRVR:BL2FFO11HUB015; X-Forefront-PRVS: 0645BEB7AA X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTDJGRk8xMUhVQjAxNTsyMzp2ZGtUM1hhM3QxaUNOMmJPT0VNNDhzS21a?= =?utf-8?B?c0FUbndsOXpQQXgramltWW4raE5TWTFhWUpGdGJHUWF6S2o2b0hoeGo0bjBB?= =?utf-8?B?eklqMVJpaUZieGRlWXZTUGgzWDRSK1V0VnNIejh2U1JxTThyTXpLNUVXVW5s?= =?utf-8?B?bnBIamdmMGY3VWpNRnFmQTM2Vmg2T0ZtbXJOK2I0MDF6SHRxSUxvbGtvSkNr?= =?utf-8?B?TUwvcG9Pd0hrWVRoNjl4U2dCUlUyZzBZZTJDS2UxV25IQmdsZXNuSUVEN0o4?= =?utf-8?B?aFU1cDhsQ3dLcGxkSjBRcnhzYzRPUy9vK1hEOEs1VDlzWk1MQjIyUjZUb1o5?= =?utf-8?B?dmZ0aHcxV1VuaHI4d1E5ZzhrcHBMUm1SR2ZTT2NNanl6dDVOMEVab1BRSkRa?= =?utf-8?B?VnN0WjZBL2NmL243ZDJpUTAyaVhzenV1eUNDWnJHQlJsaDlKTDUrUmlXVGFi?= =?utf-8?B?WEcvM1FXWjBJdGlmd2RPYzdqbnpMSVBSU0pDakVkclJ6KzVGYVdPQjZMQmNE?= =?utf-8?B?TmY5ZU1BSy9JMnR6cWVCQWhxREo5dk93Z2tMMmFQWFRZOUdFdi90UzE5aVY1?= =?utf-8?B?RElPZkhNamlpRTBZeEJjZ2F4c0FxajZvN1ZtS1hYa0Erc08zdTVPMXEzZXpp?= =?utf-8?B?SkFsQm42a3NTaFppSUYvUVdXWERQN0V5dWgzdlJESXdFYUlHV3ZPRm1ST1Bt?= =?utf-8?B?Z1g1ZE5kdkc4dmF0dG9DT1RvYnZlV2dhNk9kbkpHZWZ5ajd0Qko2NzMzc2x0?= =?utf-8?B?U3pTY1Z0VVBxQit5cmh0ejZDREZmYmhrRXdPNnd2dEMwb0dMTk5DbnBkTENK?= =?utf-8?B?N1MxaVFjOWJKbHJkUksvbEhiUXRiYnZ4bjdiZ2VqTGJxRk9tZlNja2ZFak1F?= =?utf-8?B?RlptTFl3T2RUZUlHUTJxdkJvN3hnZURKQU9GdXJaVXh2L1NlYXV4R3htajFU?= =?utf-8?B?aDdhUlcvTm4yY21MdzJBWkdMNUxJT05udWt1bXF1RFQvZEl2NmtoRHRMZUpR?= =?utf-8?B?VzljSFJyL1pvNlgrNnNyaDNJQ0k5TmZyYnljVkV2b3V0MkpUUEFTTGlwditw?= =?utf-8?B?dUhydjd1WUhPVUNzSmlzcGRSZVpWaDhyYytMR2Y1ZlNneGdCM1M5RkdSSW1R?= =?utf-8?B?bmdqeFJqRytJNVYyWGRtUjlaSFJaUHJBZEt6ZHVzaHd6ZG5LSjdZek10cTBI?= =?utf-8?B?bjBvVW9lbE1pL0tmSjZWczVjWXRPL3ZuUnJIZ1l1Wlk1NUpzemc0eHJaekc1?= =?utf-8?B?Q3JpSWFuWGZlb0t2dTZjcmV5ejVsMVJUUHI4N0pnTmZPKzJHZCtTOWNyS0k0?= =?utf-8?B?bmZBWGNUSlBPN0pMV1ZzVjUydkVsUE93S1c1UVcrcGZqUjFQbjBuN3Z1RFJP?= =?utf-8?B?QUc0Qk9sM3ZHWG8xRFM4enVadnREaFY1WVJTdkExWUFDZU5yY0U3SGFUTGNv?= =?utf-8?B?SDVqUVZzN3JOQ2tYY1JiNlVnajQxdTZNTzBqV0lXdGN1ZGxOdlFOcTV3T2Nj?= =?utf-8?B?TTZQcHladFU1WGUxVVBaNFpROGRPTHk3aTVwUmNsYVg0VmRDdmJjTWJHeUNp?= =?utf-8?B?c2lhazdXeFN4MlNyWHNGVmxPOUF4NjRNWWNORkVlbVRvRjE4TzJvUUVMbWxn?= =?utf-8?Q?=3D?= X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 5:UWckdrIdD2UeT0tME8GI1AAKWPvx1zO/41YBCYoLdMjZc8rrOSqijJeJ5x6JKVbmLJkeqxbkbeWbiqhUs2SqDN+ruOFZ+Z/fMfIhmqfNRu4rQoYkgh+Vo6Zvmhr18tUhb1dPJs6yZ8c3bWfX7VZFxQ==; 24:Z/xcxk8y32ScVKmFxjqsNIsSuUMkHFItOftn6kw3L5podKgECjLcELLGl01LtI4bR1Zh4CYCh6MVABfUXZE+ATqKocu4l98OlqK1iEOOurs= X-OriginatorOrg: osu.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 14:25:05.7818 (UTC) X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2FFO11HUB015 Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 14:25:13 -0000 T24gNy8yMi8xNSwgOTowNyBBTSwgImFiZmFiIG9uIGJlaGFsZiBvZiBTYW0gSGFydG1hbiIgPGFi ZmFiLWJvdW5jZXNAaWV0Zi5vcmcgb24gYmVoYWxmIG9mIGhhcnRtYW5zQHBhaW5sZXNzLXNlY3Vy aXR5LmNvbT4gd3JvdGU6DQoNCg0KPg0KPkkgdGhpbmsgeW91J2QgbmVlZCB0bzoNCj4NCj4xKSBF eHBsYWluIGhvdyBJIGZpZ3VyZSBvdXQgd2hpY2ggZW50aXR5IEknbSB1c2luZyBmb3IgbXkgUkFE SVVTIHNlcnZlcg0KDQpJZiBieSAiZW50aXR5IiB5b3UgbWVhbiBTQU1MIG1ldGFkYXRhIGVudGl0 eSwgeW91IGhhdmUgdG8gZG8gdGhhdCByZWdhcmRsZXNzIGlmIHlvdSBkbyBhbnl0aGluZyB3aXRo IG1ldGFkYXRhLCB0aGF0J3MgdGhlIGJhc2lzIG9mIHRoZSBkZXNpZ24uIFlvdSBkb24ndCBoYXZl IHRvIG5lY2Vzc2FyaWx5IGJlIGFibGUgdG8gbWFwIGRpcmVjdGx5IGZyb20gYSBQRFUgdG8gYW4g ZW50aXR5IHZpYSBhbiBleHBsaWNpdCAiaXNzdWVyIiBub3Rpb24gaW4gYSBwcm90b2NvbCwgYnV0 IGl0IHN1cmUgaGVscHMuDQoNCj5Db25zaWRlciB0aGlzIGVzcGVjaWFsbHkgaW4gYSBjYXNlIHdo ZXJlIHlvdSdyZSByZXRyaWV2aW5nIG1ldGFkYXRhDQo+ZHluYW1pY2FsbHkgcmF0aGVyIHRoYW4g anVzdCBoYXZpbmcgYWxsIHRoZSBtZXRhZGF0YSBpbiB0aGUgd29ybGQuDQoNClRoYXQncyBvcnRo b2dvbmFsIHRvIGFueSB1c2Ugb2YgU0FNTCBtZXRhZGF0YS4gSG93IHlvdSBnZXQgaXQgKGFuZCB2 ZXJpZnkgaXQpIGlzIGFyY2hpdGVjdHVyYWxseSBkaXN0aW5jdCBmcm9tIHdoYXQgaXQgbWVhbnMg YW5kIGhvdyBpdCdzIHVzZWQuDQoNCi0tIFNjb3R0DQoNCg== From nobody Wed Jul 22 07:42:03 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB8F91A87C2 for ; Wed, 22 Jul 2015 07:41:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWTAJAMa9NKq for ; Wed, 22 Jul 2015 07:41:53 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EB0F1B2E2D for ; Wed, 22 Jul 2015 07:41:52 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 925282075C; Wed, 22 Jul 2015 10:41:25 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3M4UlSfUtFdR; Wed, 22 Jul 2015 10:41:24 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 10:41:24 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C051B8867F; Wed, 22 Jul 2015 10:41:46 -0400 (EDT) From: Sam Hartman To: "Cantor\, Scott" References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> Date: Wed, 22 Jul 2015 10:41:46 -0400 In-Reply-To: <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> (Scott Cantor's message of "Wed, 22 Jul 2015 14:25:03 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 14:41:59 -0000 >>>>> "Cantor," == Cantor, Scott writes: Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" Cantor,> hartmans@painless-security.com> Cantor,> wrote: >> >> I think you'd need to: >> >> 1) Explain how I figure out which entity I'm using for my RADIUS >> server >> Consider this especially in a case where you're retrieving >> metadata dynamically rather than just having all the metadata in >> the world. Cantor,> That's orthogonal to any use of SAML metadata. How you get Cantor,> it (and verify it) is architecturally distinct from what it Cantor,> means and how it's used. Not really. If I'm starting with an NAI realm and would like to find the entity description of an entity that is at that NAI realm, I can only do that if my metadata access mechanism lets me search by that. However I do agree that this problem is general to the case where you're using SAML naming rather than AAA naming, not just to the case where you're getting protocol endpoints from metadata. From nobody Wed Jul 22 07:57:47 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3607C1A0018 for ; Wed, 22 Jul 2015 07:57:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CWpvFRDn9fiu for ; Wed, 22 Jul 2015 07:57:44 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0788.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::788]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8032C1A0011 for ; Wed, 22 Jul 2015 07:57:44 -0700 (PDT) Received: from BN1AFFO11FD043.protection.gbl (10.58.52.33) by BN1AFFO11HUB045.protection.gbl (10.58.52.156) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 14:57:39 +0000 Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu; Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BN1AFFO11FD043.mail.protection.outlook.com (10.58.52.190) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 14:57:39 +0000 Received: from CIO-KRC-HT03.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id BF56450006E; Wed, 22 Jul 2015 10:57:38 -0400 (EDT) Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT03.osuad.osu.edu ([fe80::b12f:aa15:1901:8bcc%10]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 10:57:37 -0400 From: "Cantor, Scott" To: Sam Hartman Thread-Topic: [abfab] Direction Forward for aaa-saml Thread-Index: AQHQxIyIqOsHJ1Kgwk2OrlaTR/AXL53nlGWA Date: Wed, 22 Jul 2015 14:57:37 +0000 Message-ID: <712A6A74-F5D5-4297-8E75-CA0ADDE6FE20@osu.edu> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.179.164.143] Content-Type: text/plain; charset="utf-8" Content-ID: <9AA9463336081041864F4627290CC31D@osu.edu> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD043; 1:NYVhOoKIVRHpcuVAf7T2efCpxU4iKEJS6usCXjgF+rqhme/nO9XtDxcPV7RkPFMTD3yFZ5jzE3s0VJJd61sLuCHFcn+X3m3B0z37EnXvVN38oSV+jQsK/jLrll/K2MxIWCtHAfnN0abNDDAPR9fFYsXReZvyV/QfB9cHxYPPycuRoYZ+j2m6Gmlh9fK7wmPgJnbsfnTq3AnJtEcc+z3S7lXtYpgzbGiBbXAT4DDU9ZApq4nQrTf3NFEzwXkdP7fHL/n2zI63GJjLfQdVbcDWFMIgUX0xoyj8qZ5bbPBRVFQ1srcxDCJ8GGo8FMcpDTgJvaf2pFgwS7pCfdvt1MLyIVyyVbdFWu4KF/mpNSD2kSwPO9Xzg7pQYe2aU5pt4fSDkcTqOnFActiiVgVRD9cpZrExYq5h8Wkp7P5GghwvFoE= X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(24454002)(479174004)(199003)(189002)(377454003)(189998001)(54356999)(92566002)(47776003)(109096001)(2950100001)(75432002)(36756003)(23676002)(33656002)(86362001)(110136002)(66066001)(46102003)(102836002)(2900100001)(88552001)(50986999)(89122001)(62966003)(77156002)(76176999)(50466002)(82746002)(2656002)(19580405001)(106116001)(93886004)(87936001)(6806004)(19580395003)(93346002)(90282001)(5003600100002)(5250100002)(83716003)(106466001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1AFFO11HUB045; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 2:poIdLW25liWUxSnc2LKPi/IvfG2e7K2X98z05M6ze9JOii9cubZ2VVHFUOW8eKZw; 3:Zq0u8BNa0bw9Vfyxf/ckYeiOQtCze5eHTjnOyM6F7gt2L524X4K6GdTGhfE6qt05WnBENugHzNJIKBza1D64NK3Vg6op/WFxt6XFKM8b1b5Z1tgzuOmYR+yIzDbu8LL4Ei2/qWCjIUx+w6XAHhnAEOeM6pC9CKPG/imSbR4RYYWdX6PApnmIT/ikQex9/d2HKA4pTF7Iqhj19VsSX3nkp3CRPbkTwb2EC/Auawg+AwPmBoA500pHPdxK2hxMvXjg; 25:kxzdGoowu83IM4f2Yg0dqd2DaP8WD4rhmq4kr6mcwORs/DsMqYX9uDzY9uVTLe1PKWH9aFMC3Xw03KTD5FQuU5WxD9RoQCJrEpwLcdpoLeXHulNWMOp57W45IVkjI5PpG9CoJdPeER231B4RetDKLJSvs8f9mFByhj2g0yluTdT77qg/5RQ07YB3zgu1rb+l8mpONiwPdl9cXAvIkebknWpSX6ZyIO3qYHFyww3IS0d6rmF32zsmWmJBWOVk5Nf/pJsGNBDh4KmAh9raPuCPYg== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1AFFO11HUB045; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 20:EN1umLsO23P+T6h/37v0+DIrk6KXr1x0trfKnk4DYgSSNamOdcx/OUTwnxIxEwbch7E/dhpAttfVJUEfHJz+g5M3/YTs/CGzjSSAtvhQtlK9hKuyweiQQAAku8YxnN1EXHWtSR/vHBd5w8PUS+BI+sKJ4YJHY9tfioCp1T+D3uCv9ehIw0GWR1Y41CDNP9tS7nPUPjvpZWvn2DjErOTjDUbNTVBxgIP8Yo0HSaFu10ai6kRkVnxOK45BLvKCTVhFylcDZ3tMtkrOvtf4me88cnfii6C4nyYj4mngOsLwmLhU5kpJ7J1EGWjba6smEoAGBfcfa1H8rLY2EvPvkEibKW7R1mXItaAnwK5Kl9UlO4jfJ1eDxtqiUN92S00iBarj/bF3NqhTDLu2/YjPrZAPuNWjJ9eCznmTaQEWocUUr8ry8FwCuoIHqBzP6zU5ix17XgNXp6FtxKWHwcLyXC114G4tu8I95liLimKunqOvNqK5ECc9eiPCVbXoT00RLNZA; 4:fjMlv7Re3sqYltT73eNM9gXm7B3y7fdwec7tToM9A2J2azxhbpeP5NNXWtljb4GqkRlp8pcqZAiUy6RjNoZtvNwDGhQwh4jTIWFRoGCxOJST0VgPzUSdnXM7EAPSjQBA44AoZCHnwFw1GMscIVE+7rykstkzBcQs64T7kszL8U663QdQ/oCskzROlJABuExFzRn2qUseVNZl4SZ27A8SC1CCXbutkUkzq5W47o6KUmMPZW1g9KVnjR1Wp+0/grTDUWC0wC7t8xlpFuTNOnchn37UWIz/dlmWUGsIZl1IO5w= BN1AFFO11HUB045: X-MS-Exchange-Organization-RulesExecuted X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BN1AFFO11HUB045; BCL:0; PCL:0; RULEID:; SRVR:BN1AFFO11HUB045; X-Forefront-PRVS: 0645BEB7AA X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjFBRkZPMTFIVUIwNDU7MjM6REJGb0lpcjBGT3ZtelpDMWZSQ3BySjVE?= =?utf-8?B?dTB0SlIyWE9nU2lmTFltcXhtaU5HV0c3eDRxb2NUYWtUZk51U2VCRE1LN3U3?= =?utf-8?B?T1VXanZKc2NqVXZ0OGNzR1ZZYnV1MGpEbWlDdE1kYUZmajBkMk5URitzWlhk?= =?utf-8?B?bHdPaUhGM214QTdGclZBZkQwM1RseHAxRGNQV1BIdVM1TGFwY1pvNmFFdHIr?= =?utf-8?B?ZnJIYmFTYzNwZlRGbHFkd2tDemlnVmpzK3VxRUlpWkoxd2MxVUd2b2VTajFI?= =?utf-8?B?ZEtTUU1XalVucHk2TVVLZ0lXWG9sNEU5alNMSWdtT3d1Qm44bjFaQnJ2ZVFN?= =?utf-8?B?S0c3MHJxUW9nYkdYSnc5ZmwzLzZRUzlvUkV6c3QyTVhNQXVFZ1pJdWttY21D?= =?utf-8?B?WDVLVUJWUW9TdmM2SFZYUUx6SW52VVZicHJjMmZxL2t2Sm1XZjM2eWF3M2Nx?= =?utf-8?B?VnorNEdkWWdzWWlySTJra2R5ampQRURxbmw2a3RoRjU2RTJ3L2IyM2YrOU9J?= =?utf-8?B?MkRuYS9BVzJTbFVPQWhYSldQaGw2Z1ludCtmODh4Tit1MjBrU2RHTkl3SjBP?= =?utf-8?B?ekZlWHZsWkkrUE5ZWWNPVUxyWW5ROXdzcURudTFtcVFTcXNyQkZmNlplWUJL?= =?utf-8?B?alNveHpHYlI4L1hiYnJZb0psM0Z4MExaNGt4SWJmT3pIeDIxODFhU1k5MnlL?= =?utf-8?B?SlNIUnRWWXBIczZ5azk2MVBJQnp5OXRZemxyQzhwZ00ydGt4OHM2RDFlWnVr?= =?utf-8?B?RTlHZWJjeVBOYjMwRm55cFVuNDlKUm1kK09GUWlFUGtCb0JZZC9ydWZybGhx?= =?utf-8?B?NWZzamZHVGtVdThlUE1pMzNsc3BLRVhHbWUrTmhINDh3M3ZURGw2VHdUYytr?= =?utf-8?B?QzdLd3JCQXJPdDFjL3JiSHBBTUgzdCtMVVIvMDJ5bHBYZXBydDZyMkJWMFlW?= =?utf-8?B?UTZ3L0o4QjlqVExncHBwMGN3NDNiZnY5SWdBYmNFK042QzA2V3Z1ZDBydEpH?= =?utf-8?B?aXFSeUdORUhmWjBLd1VYSjdjQ3dwcU9IMXhHUUJzRVNCTGxtTFpyNTFqQlBE?= =?utf-8?B?WWUyekh2a0R5L1Z4WmdOcEZuUGE5bmorcTYzcHJmKzdpZE9CWHh2THozMVRk?= =?utf-8?B?NkZMR2doN0haK0thRzFlL3hab3ZzQXBENDlycWp0K0l1eGF3eE83bkN1VWRO?= =?utf-8?B?dmxmTWxIWVhBS3lEYUJUR25uU2Q4MXJWV0g0YTlWelRNaEh2THNROHVNM2VJ?= =?utf-8?B?S3JsYTBrRmVFaVQzYkYxc3gvMWxpUThjQmd2QlZKRDZBL1ZsT094TlB3UDgy?= =?utf-8?B?Z3VzUTVZQTF3eUk3aTA1ekhjOWFnZ0VGSkYwYjZFZDRHMUp6Q3V5eGdQY1c5?= =?utf-8?B?bU5UR2xObXJwZGVubHlabzlVWSswSmEwWmFhMEFNRmRzTVZoWHAvNzNqUWlr?= =?utf-8?B?SEVMRFFRM2gyVDc1U1BjSUE0cUZYN3Y2WjhseHlXL2dUNFVJaEdPVkRsZWVl?= =?utf-8?B?UVVYT0taZDA4ckh3VloxZ2I1amZQbTUzdlVoVHNyOGk4TTNQZ2taK1plSC83?= =?utf-8?B?c1M4THpBN0JCMlFXdlhOQnpPUE1CeUoyZz09?= X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB045; 5:bVjtaXP3QZvbMlUNHPSFIctAVTXvtEGoKkPGC/D+RDU1znkbs3YNMqyt06MVbAKR2RajVhfKr8rIZISQyXzsZYFL15m6xUiF6maDNOl7KeFaG+A5m473w0eLNEYqBXb6HNUoTfnCMxFjwZhbwAxDwA==; 24:fVGE87bax3GGsNqicwDt5agv3ATAjp7QuRLtdeR6VKfPsOD0SavRnLj2W4aVfLeUt9Ro+ZUQ7Nhc/wgLEfueJEBFUPJzFMNcHRg25YIEsRY= X-OriginatorOrg: osu.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 14:57:39.3779 (UTC) X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1AFFO11HUB045 Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 14:57:46 -0000 T24gNy8yMi8xNSwgMTA6NDEgQU0sICJTYW0gSGFydG1hbiIgPGhhcnRtYW5zQHBhaW5sZXNzLXNl Y3VyaXR5LmNvbT4gd3JvdGU6DQoNCg0KPg0KPiAgICBDYW50b3IsPiBUaGF0J3Mgb3J0aG9nb25h bCB0byBhbnkgdXNlIG9mIFNBTUwgbWV0YWRhdGEuIEhvdyB5b3UgZ2V0DQo+ICAgIENhbnRvciw+ IGl0IChhbmQgdmVyaWZ5IGl0KSBpcyBhcmNoaXRlY3R1cmFsbHkgZGlzdGluY3QgZnJvbSB3aGF0 IGl0DQo+ICAgIENhbnRvciw+IG1lYW5zIGFuZCBob3cgaXQncyB1c2VkLg0KPg0KPk5vdCByZWFs bHkuDQo+SWYgSSdtIHN0YXJ0aW5nIHdpdGggIGFuIE5BSSByZWFsbSBhbmQgd291bGQgbGlrZSB0 byBmaW5kIHRoZSBlbnRpdHkNCj5kZXNjcmlwdGlvbiBvZiBhbiBlbnRpdHkgdGhhdCBpcyBhdCB0 aGF0IE5BSSByZWFsbSwgSSBjYW4gb25seSBkbyB0aGF0DQo+aWYgbXkgbWV0YWRhdGEgYWNjZXNz IG1lY2hhbmlzbSBsZXRzIG1lIHNlYXJjaCBieSB0aGF0Lg0KDQpFdmVuIGlmIHlvdSBoYWQgYWxs IHRoZSBtZXRhZGF0YSBpbiB0aGUgd29ybGQsIHlvdSdkIHN0aWxsIGhhdmUgdG8gaW5kZXggaXQg YW5kIHNlYXJjaCBieSBzb21ldGhpbmcgb3RoZXIgdGhhbiBlbnRpdHlJRC4NCg0KSSBkb24ndCBy ZWFsbHkga25vdyB3aGF0IGFuIE5BSSByZWFsbSBpcywgYnV0IGlmIGl0J3MgYW55dGhpbmcgbGlr ZSBhIGRvbWFpbiwgdGhlcmUncyBhIHByZXR0eSBsb25nLXN0YW5kaW5nIGlzc3VlIHRoYXQgdGhl cmUncyBuZXZlciBiZWVuIGEgd2F5IHRvIG1hcCBkb21haW5zIHRvIFNBTUwgbWV0YWRhdGEgc2lu Y2UgcHV0dGluZyB0aGluZ3MgaW4gRE5TIHdhcyBhbHdheXMgb2ZmIHRoZSB0YWJsZSAodGhhbmtz IHRvIHRoZSBqb3kgb2Ygd29ya2luZyB3aXRoIEROUyBhZG1pbnMpLiBJdCdzIGJlZW4gYSBnZW5l cmFsIGFzc3VtcHRpb24gb2YgbWluZSB0aGF0IGF0IHNvbWUgcG9pbnQgdGhhdCB3b3VsZCBuZWVk IHRvIGNoYW5nZSB0byBhZGRyZXNzIGRpc2NvdmVyeSBpbiBhIHdvcmxkIHdoZXJlIHlvdSBjYW4n dCBqdXN0IGxvYWQgZ2lhbnQgbGlzdHMgb2YgSWRQcy4gU28gcGVyaGFwcyB0aGVyZSdzIGEgZ2Vu ZXJhbCBoZXJlIHRoYXQgY2FuIGZpbmFsbHkgYmUgdGFja2xlZC4NCg0KLS0gU2NvdHQNCg0K From nobody Wed Jul 22 08:00:13 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B361A0047 for ; Wed, 22 Jul 2015 08:00:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adOlNGJ6NOlS for ; Wed, 22 Jul 2015 08:00:09 -0700 (PDT) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE6101A000B for ; Wed, 22 Jul 2015 08:00:03 -0700 (PDT) Received: by wicmv11 with SMTP id mv11so85391550wic.0 for ; Wed, 22 Jul 2015 08:00:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=JvWSurlzZlCkeZ1bVBcw0JdzzZhTpk6ixWk8iYWfMLY=; b=MLSj9qmUuJjAKSujeUI8Fov7xV7pChlu2I8fhc+XG5x0dmptaxwnXy8Ad+WK6Bl2f/ nsJeMO0WtB0ooB0Lf01veAKM2BM9tCZbQFz314Yq4ZcPS5luGFb0YstkqwKPkCpyPM8X J/xPynZZ5+RAGfVb8Daa+QmEcuKWbO7WcCQamu3Yn1QqzqcZo0Bpkif6i2SuE63x3EYN UK7RN4HGikM6E2Vp1OgrqHSlKkaBhCifs8SB39cH2/bEj+G1uxDx5mkQoKv5OTwei0wb eJO4pps7k9Y2xKscyCqdVp1y3zqEO324vBnxTJA3E4N2+4ivvvbrykz2nifmJJ+h3YQH g4YQ== X-Gm-Message-State: ALoCoQnOBZpfdt0gvbnE5EAurrYjI4yBpo7szTEAOR95aX9YXOHTepzs8ijkYwCeD8XJsZWqr1h4 X-Received: by 10.194.175.65 with SMTP id by1mr6537046wjc.152.1437577202422; Wed, 22 Jul 2015 08:00:02 -0700 (PDT) Received: from [31.133.155.46] (dhcp-9b2e.meeting.ietf.org. [31.133.155.46]) by smtp.gmail.com with ESMTPSA id iy4sm3785095wic.24.2015.07.22.08.00.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jul 2015 08:00:01 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (12H143) In-Reply-To: Date: Wed, 22 Jul 2015 17:00:00 +0200 Content-Transfer-Encoding: 7bit Message-Id: References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> To: Sam Hartman Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 15:00:12 -0000 22 jul 2015 kl. 16:41 skrev Sam Hartman : >>>>>> "Cantor," == Cantor, Scott writes: > > Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" > Cantor,> Cantor,> hartmans@painless-security.com> > Cantor,> wrote: > > >>> >>> I think you'd need to: >>> >>> 1) Explain how I figure out which entity I'm using for my RADIUS >>> server > >>> Consider this especially in a case where you're retrieving >>> metadata dynamically rather than just having all the metadata in >>> the world. > > Cantor,> That's orthogonal to any use of SAML metadata. How you get > Cantor,> it (and verify it) is architecturally distinct from what it > Cantor,> means and how it's used. > > Not really. > If I'm starting with an NAI realm and would like to find the entity > description of an entity that is at that NAI realm, I can only do that > if my metadata access mechanism lets me search by that. so its a requirement for the mdquery draft, not on metadata > > However I do agree that this problem is general to the case where you're > using SAML naming rather than AAA naming, not just to the case where > you're getting protocol endpoints from metadata. From nobody Wed Jul 22 08:12:52 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56D41A0430 for ; Wed, 22 Jul 2015 08:12:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1gacwRx1I3A for ; Wed, 22 Jul 2015 08:12:43 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1021A036F for ; Wed, 22 Jul 2015 08:12:43 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id DD0762075A; Wed, 22 Jul 2015 11:12:16 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEG_mErBVTUB; Wed, 22 Jul 2015 11:12:16 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 11:12:16 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 294028867F; Wed, 22 Jul 2015 11:12:39 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> Date: Wed, 22 Jul 2015 11:12:39 -0400 In-Reply-To: (Leif Johansson's message of "Wed, 22 Jul 2015 17:00:00 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 15:12:47 -0000 >>>>> "Leif" == Leif Johansson writes: Leif> 22 jul 2015 kl. 16:41 skrev Sam Hartman Leif> : >>>>>>> "Cantor," == Cantor, Scott writes: >> >> Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" >> Cantor,> >> hartmans@painless-security.com> >> Cantor,> wrote: >> >> >>>> >>>> I think you'd need to: >>>> >>>> 1) Explain how I figure out which entity I'm using for my >>>> RADIUS server >> >>>> Consider this especially in a case where you're retrieving >>>> metadata dynamically rather than just having all the metadata >>>> in the world. >> >> Cantor,> That's orthogonal to any use of SAML metadata. How you >> get Cantor,> it (and verify it) is architecturally distinct from >> what it Cantor,> means and how it's used. >> >> Not really. If I'm starting with an NAI realm and would like to >> find the entity description of an entity that is at that NAI >> realm, I can only do that if my metadata access mechanism lets me >> search by that. Leif> so its a requirement for the mdquery draft, not on metadata Nod. I don't anticipate implementing using metadata to select a RADIUS endpoint. So I don't have a lot of interest in working on that. I'm happy to review a specific proposal someone comes up with, but I'd prefer it not end up in aaa-saml and I'd strongly prefer it not block aaa-saml. --Sam From nobody Wed Jul 22 08:14:45 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E9A1A0210 for ; Wed, 22 Jul 2015 08:14:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKBN1t2nw-Th for ; Wed, 22 Jul 2015 08:14:43 -0700 (PDT) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 001D81A010C for ; Wed, 22 Jul 2015 08:14:42 -0700 (PDT) Received: by wicmv11 with SMTP id mv11so85980253wic.0 for ; Wed, 22 Jul 2015 08:14:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=8ep1iYmcTJGp/NLtpvqRtFSp9YXcDFOcG+eN1n2HPL8=; b=XTgS2TAQ77EXbM8nVZ+oMCXWRMrjbrfyIHojWU/r65A40gfWhKGPPOiVaSiXvhTXU7 eHePAXdSSRstcnHvX1LxOGwGv5lLlSvIiUWTDrmAn7E3A2D6Pai2mNEIrrh3pUahngvB EfoQZjZtbvbaI8po8r5mzlN24iRe6cvAgUfsMmjoyPaXJFfMuzW6LS8huij9n11DWOBz NUdmMAw55ijukHMU8fnMcAx43P2PExvB+vGazu+cgf4jC0M0LRh/8n1p7X2pgST6H5L2 WBVCGUfi+raNFz9/f9xTGi0P1Q89LnvDNzWaiTuUscLuVKza78HNJ9yMypZWRELZBGjU lGxg== X-Gm-Message-State: ALoCoQmwEPUzeLWO3I+dsw2Lj0HVz081RnKjZCISJR3W1Exsh/vOB8RFFqdRBfVkpnUhajLCnTbA X-Received: by 10.194.86.65 with SMTP id n1mr2749382wjz.100.1437578081575; Wed, 22 Jul 2015 08:14:41 -0700 (PDT) Received: from [31.133.155.46] (dhcp-9b2e.meeting.ietf.org. [31.133.155.46]) by smtp.gmail.com with ESMTPSA id ev8sm2877688wjb.8.2015.07.22.08.14.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jul 2015 08:14:40 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (12H143) In-Reply-To: Date: Wed, 22 Jul 2015 17:14:39 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> To: Sam Hartman Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 15:14:44 -0000 22 jul 2015 kl. 17:12 skrev Sam Hartman : >>>>>> "Leif" =3D=3D Leif Johansson writes: >=20 > Leif> 22 jul 2015 kl. 16:41 skrev Sam Hartman > Leif> : >=20 >>>>>>>> "Cantor," =3D=3D Cantor, Scott writes: >>>=20 >>> Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" >>> Cantor,> >>> hartmans@painless-security.com> >>> Cantor,> wrote: >>>=20 >>>=20 >>>>>=20 >>>>> I think you'd need to: >>>>>=20 >>>>> 1) Explain how I figure out which entity I'm using for my >>>>> RADIUS server >>>=20 >>>>> Consider this especially in a case where you're retrieving >>>>> metadata dynamically rather than just having all the metadata >>>>> in the world. >>>=20 >>> Cantor,> That's orthogonal to any use of SAML metadata. How you >>> get Cantor,> it (and verify it) is architecturally distinct from >>> what it Cantor,> means and how it's used. >>>=20 >>> Not really. If I'm starting with an NAI realm and would like to >>> find the entity description of an entity that is at that NAI >>> realm, I can only do that if my metadata access mechanism lets me >>> search by that. >=20 > Leif> so its a requirement for the mdquery draft, not on metadata >=20 > Nod. >=20 > I don't anticipate implementing using metadata to select a RADIUS > endpoint. > So I don't have a lot of interest in working on that. I'm happy to > review a specific proposal someone comes up with, but I'd prefer it not > end up in aaa-saml and I'd strongly prefer it not block aaa-saml. >=20 > --Sam agree but i think endpoint could be useful for radsec and i suspect it will b= e reasonably simple to do= From nobody Wed Jul 22 09:12:27 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECB651A882F for ; Wed, 22 Jul 2015 09:12:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSIX4qqz3CHV for ; Wed, 22 Jul 2015 09:12:24 -0700 (PDT) Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1801A6F2B for ; Wed, 22 Jul 2015 09:12:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 9AF8D2A6E for ; Wed, 22 Jul 2015 18:12:21 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon23.um.es Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WRQafmSAvDUy for ; Wed, 22 Jul 2015 18:12:21 +0200 (CEST) Received: from [192.168.20.74] (186.160.broadband14.iol.cz [90.181.160.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 63444394 for ; Wed, 22 Jul 2015 18:12:20 +0200 (CEST) To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55AFC0E3.8030500@um.es> Date: Wed, 22 Jul 2015 18:12:19 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:12:27 -0000 El 22/07/15 a las 17:14, Leif Johansson escribió: > > 22 jul 2015 kl. 17:12 skrev Sam Hartman : > >>>>>>> "Leif" == Leif Johansson writes: >> Leif> 22 jul 2015 kl. 16:41 skrev Sam Hartman >> Leif> : >> >>>>>>>>> "Cantor," == Cantor, Scott writes: >>>> Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" >>>> Cantor,> >>>> hartmans@painless-security.com> >>>> Cantor,> wrote: >>>> >>>> >>>>>> I think you'd need to: >>>>>> >>>>>> 1) Explain how I figure out which entity I'm using for my >>>>>> RADIUS server >>>>>> Consider this especially in a case where you're retrieving >>>>>> metadata dynamically rather than just having all the metadata >>>>>> in the world. >>>> Cantor,> That's orthogonal to any use of SAML metadata. How you >>>> get Cantor,> it (and verify it) is architecturally distinct from >>>> what it Cantor,> means and how it's used. >>>> >>>> Not really. If I'm starting with an NAI realm and would like to >>>> find the entity description of an entity that is at that NAI >>>> realm, I can only do that if my metadata access mechanism lets me >>>> search by that. >> Leif> so its a requirement for the mdquery draft, not on metadata >> >> Nod. >> >> I don't anticipate implementing using metadata to select a RADIUS >> endpoint. >> So I don't have a lot of interest in working on that. I'm happy to >> review a specific proposal someone comes up with, but I'd prefer it not >> end up in aaa-saml and I'd strongly prefer it not block aaa-saml. >> >> --Sam > agree but i think endpoint could be useful for radsec and i suspect it will be reasonably simple to do I might be mistaken, but wasn't that what we wanted to avoid in the first place when we decided not to use the RADIUS URI scheme from my original proposal? I guess having an endpoint for radsec will require to define how the "Location" values will look like, and they should be in a URI format as well. Regards, Alejandro > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Wed Jul 22 09:13:54 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713611A882F for ; Wed, 22 Jul 2015 09:13:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfuPXTk4dA5J for ; Wed, 22 Jul 2015 09:13:50 -0700 (PDT) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A081A700A for ; Wed, 22 Jul 2015 09:13:49 -0700 (PDT) Received: by wicmv11 with SMTP id mv11so88273992wic.0 for ; Wed, 22 Jul 2015 09:13:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=3hvBBPw4FbB7BebB33pVKyiTj6386OvA1Z7fX+tXExg=; b=gN2jSII3is2+INlGB+RaazAKohGxrT3t+Na5Qwu6n0P7VUnmmIL38mug4jrllRS9+p CcLJ6S3udX+xlKLMd+bJWO3dcd6TYyID/cFy2BynT+TspsfmvtBJp4M0nnc/F2Ywt4DW G9VZZ8t5hLjai/Pe0k8Mem27hYJmXknkmxTMIMu2gAM6VF4+J8VY/XLFZBDK915dT6RZ bDNNvrrKQMPi4AAIX0/Kls6T/MIN3VfE0sDparoVcL1PzmvozFkUp6aND3zaGZA3qqv1 4Zil4oGOz4tObgbwL9PxnJnhu0P1c9NRLJCscEULucJThaWGS2OxPVgjxEcFX7If5tcw yD0A== X-Gm-Message-State: ALoCoQn3LK1oayOVc+5KZ6urtTUnTm41521uAuxN7zzP16XEeGkNj9pLEh78o6xAuuxiwUN7ELFx X-Received: by 10.194.175.65 with SMTP id by1mr7215417wjc.152.1437581628256; Wed, 22 Jul 2015 09:13:48 -0700 (PDT) Received: from [31.133.176.110] (dhcp-b06e.meeting.ietf.org. [31.133.176.110]) by smtp.googlemail.com with ESMTPSA id js3sm3108479wjc.5.2015.07.22.09.13.46 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jul 2015 09:13:46 -0700 (PDT) Message-ID: <55AFC139.10805@mnt.se> Date: Wed, 22 Jul 2015 18:13:45 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> In-Reply-To: <55AFC0E3.8030500@um.es> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:13:52 -0000 On 2015-07-22 18:12, Alejandro Pérez Méndez wrote: > > > El 22/07/15 a las 17:14, Leif Johansson escribió: >> >> 22 jul 2015 kl. 17:12 skrev Sam Hartman : >> >>>>>>>> "Leif" == Leif Johansson writes: >>> Leif> 22 jul 2015 kl. 16:41 skrev Sam Hartman >>> Leif> : >>> >>>>>>>>>> "Cantor," == Cantor, Scott writes: >>>>> Cantor,> On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" >>>>> Cantor,> >>>>> hartmans@painless-security.com> >>>>> Cantor,> wrote: >>>>> >>>>> >>>>>>> I think you'd need to: >>>>>>> >>>>>>> 1) Explain how I figure out which entity I'm using for my >>>>>>> RADIUS server >>>>>>> Consider this especially in a case where you're retrieving >>>>>>> metadata dynamically rather than just having all the metadata >>>>>>> in the world. >>>>> Cantor,> That's orthogonal to any use of SAML metadata. How you >>>>> get Cantor,> it (and verify it) is architecturally distinct from >>>>> what it Cantor,> means and how it's used. >>>>> >>>>> Not really. If I'm starting with an NAI realm and would like to >>>>> find the entity description of an entity that is at that NAI >>>>> realm, I can only do that if my metadata access mechanism lets me >>>>> search by that. >>> Leif> so its a requirement for the mdquery draft, not on metadata >>> >>> Nod. >>> >>> I don't anticipate implementing using metadata to select a RADIUS >>> endpoint. >>> So I don't have a lot of interest in working on that. I'm happy to >>> review a specific proposal someone comes up with, but I'd prefer it not >>> end up in aaa-saml and I'd strongly prefer it not block aaa-saml. >>> >>> --Sam >> agree but i think endpoint could be useful for radsec and i suspect it >> will be reasonably simple to do > > I might be mistaken, but wasn't that what we wanted to avoid in the > first place when we decided not to use the RADIUS URI scheme from my > original proposal? > I guess having an endpoint for radsec will require to define how the > "Location" values will look like, and they should be in a URI format as > well. > We agree that we want something other than Entpoint for name2key binding but we are still debating if we want Endpoint for the radsec case. It is debatable. From nobody Wed Jul 22 09:15:11 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C651A6F10 for ; Wed, 22 Jul 2015 09:15:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.61 X-Spam-Level: X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-H1YMjSXvtm for ; Wed, 22 Jul 2015 09:15:08 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC9A1A1F70 for ; Wed, 22 Jul 2015 09:15:08 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 06E7C2075D; Wed, 22 Jul 2015 12:14:42 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3nbfD0VRpB0; Wed, 22 Jul 2015 12:14:41 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 12:14:41 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B98B28867F; Wed, 22 Jul 2015 12:15:04 -0400 (EDT) From: Sam Hartman To: Alejandro =?utf-8?B?UMOpcmV6IE3DqW5kZXo=?= References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> Date: Wed, 22 Jul 2015 12:15:04 -0400 In-Reply-To: <55AFC0E3.8030500@um.es> ("Alejandro =?utf-8?Q?P=C3=A9rez_M?= =?utf-8?Q?=C3=A9ndez=22's?= message of "Wed, 22 Jul 2015 18:12:19 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:15:10 -0000 >>>>> "Alejandro" =3D=3D Alejandro P=C3=A9rez M=C3=A9ndez writ= es: Alejandro> I might be mistaken, but wasn't that what we wanted to Alejandro> avoid in the first place when we decided not to use the Alejandro> RADIUS URI scheme from my original proposal? I guess Alejandro> having an endpoint for radsec will require to define how Alejandro> the "Location" values will look like, and they should be Alejandro> in a URI format as well. Standardizing a URI that /looked like radsec://host:port would be *lots* easier than the URI you proposed. However, yes I believe even that's work I don't think belongs in ABFAB or aaa-saml. From nobody Wed Jul 22 09:18:34 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF1B91A886E for ; Wed, 22 Jul 2015 09:18:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEHh1P7cPPdC for ; Wed, 22 Jul 2015 09:18:31 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC4C1A877C for ; Wed, 22 Jul 2015 09:18:27 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6MGIPXW015108 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 22 Jul 2015 18:18:25 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6MGIMeS006748 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 22 Jul 2015 18:18:24 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437581904; bh=Su0gT8Ul701DC7zUWT1k2Qesn97YK0rT21FOUrmSIN4=; h=Date:From:To:Subject:References:In-Reply-To; b=loxtTt2oIIDcQi74KGM5g2PNp5Mc2TvetNpLt3gg7jqJGNM4kZulXZIsFUMbN9oSH INeqhBtpsa2mMkZurQt3qSu7GTj0t7RjV80H/Zq9wO8T8ilG1LOrjWAP7T0inxtoff N9XwpUMdK1/m8jGFadz6ex7BZoBjsRqFDs0KWPCk= X-Footer: c3VuZXQuc2U= Received: from [31.133.176.110] ([31.133.176.110]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 22 Jul 2015 18:18:21 +0200 Message-ID: <55AFC24C.3070205@sunet.se> Date: Wed, 22 Jul 2015 18:18:20 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTsipsE - 02132263ee85 - 20150722 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:18:32 -0000 On 2015-07-22 18:15, Sam Hartman wrote: >>>>>> "Alejandro" == Alejandro Pérez Méndez writes: > > Alejandro> I might be mistaken, but wasn't that what we wanted to > Alejandro> avoid in the first place when we decided not to use the > Alejandro> RADIUS URI scheme from my original proposal? I guess > Alejandro> having an endpoint for radsec will require to define how > Alejandro> the "Location" values will look like, and they should be > Alejandro> in a URI format as well. > > Standardizing a URI that /looked like > radsec://host:port would be *lots* easier than the URI you proposed. > However, yes I believe even that's work I don't think belongs in ABFAB > or aaa-saml. Right but we _could_ add Endpoint and leave the work of specifying the URL format of radius radsec servers to whomever wanted to deploy it From nobody Wed Jul 22 09:20:28 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDC6A1A8855 for ; Wed, 22 Jul 2015 09:20:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YBzblmw6EbT for ; Wed, 22 Jul 2015 09:20:25 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 548871A886E for ; Wed, 22 Jul 2015 09:20:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id E4B6920711; Wed, 22 Jul 2015 12:19:58 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tzlvyptqNFC; Wed, 22 Jul 2015 12:19:58 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 12:19:58 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id ABADB8867F; Wed, 22 Jul 2015 12:20:21 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> Date: Wed, 22 Jul 2015 12:20:21 -0400 In-Reply-To: <55AFC24C.3070205@sunet.se> (Leif Johansson's message of "Wed, 22 Jul 2015 18:18:20 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:20:26 -0000 >>>>> "Leif" == Leif Johansson writes: Leif> Right but we _could_ add Endpoint and leave the work of Leif> specifying the URL format of radius radsec servers to whomever Leif> wanted to deploy it I'm very against that. It's not guaranteed to be interoperable without the URI and I don't think we'd have confidence in the semantics without going through the URI spec. From nobody Wed Jul 22 09:24:53 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B4071A89EB for ; Wed, 22 Jul 2015 09:24:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lUePo76rXE5 for ; Wed, 22 Jul 2015 09:24:50 -0700 (PDT) Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8FBA1A89A5 for ; Wed, 22 Jul 2015 09:24:44 -0700 (PDT) Received: by wicmv11 with SMTP id mv11so88677249wic.0 for ; Wed, 22 Jul 2015 09:24:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=KOM1ZytG/ZVkKHeNysUjyybowJKzKvkd6okAZM4K1uw=; b=PyWltbQdcd69v079GmpEqJbtcCKuL8cAt9oZ+gHBTZ56PLy3/0WfCcgnKO9Yz7lXGO ROWE1n0KtWsUm9eLRYPJUOxZ+BuUAJ4x5IfDZ/Ji/RBbDIn1LNWBYikx6YpiVnEuRj5J BVd4zugMXvyygMg903hZUjlH850d4wQ8K2LZSi0Rw5RCKpVQB6YLrmlrPrWbhHTLT76D eK1LJQMnW+rj9lSPK8sHzSOroNA58UInBxGGLQq8eGX8MMvPu8sxFV1nnAFu4q0sOFgN uVTbEazyaEq6KIDlbemj3F0MtOh/0PqFDY8YdjG1K44QJsa4bzEPH6Lv4WNSf370C80P erDw== X-Gm-Message-State: ALoCoQnMttixWXc96fvDDgxA1cot0EcXS87jxTpLXuiVIg8WBatsaFE6xNAkN+eNKVUyJBUvcSH7 X-Received: by 10.194.58.109 with SMTP id p13mr7412092wjq.36.1437582283246; Wed, 22 Jul 2015 09:24:43 -0700 (PDT) Received: from ?IPv6:2001:67c:370:152:76da:38ff:fe3a:15dd? ([2001:67c:370:152:76da:38ff:fe3a:15dd]) by smtp.googlemail.com with ESMTPSA id bm9sm22787108wib.10.2015.07.22.09.24.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jul 2015 09:24:42 -0700 (PDT) Message-ID: <55AFC37D.1040607@mnt.se> Date: Wed, 22 Jul 2015 18:23:25 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:24:51 -0000 On 2015-07-22 18:20, Sam Hartman wrote: >>>>>> "Leif" == Leif Johansson writes: (I am and was speaking entirely wo any chair hats on btw) > > > Leif> Right but we _could_ add Endpoint and leave the work of > Leif> specifying the URL format of radius radsec servers to whomever > Leif> wanted to deploy it > > I'm very against that. > It's not guaranteed to be interoperable without the URI and I don't > think we'd have confidence in the semantics without going through the > URI spec. Thats why we have the Binding parameter! If you don't understand the Binding then you can't use the Endpoint. If your position made sense (which it doesn't) then we could never deploy new bindings in SAML which actually does happen. Cheers Leif From nobody Wed Jul 22 09:28:21 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378311A8AC7 for ; Wed, 22 Jul 2015 09:28:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cf3rnD28MCA for ; Wed, 22 Jul 2015 09:28:18 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D90F1B2A32 for ; Wed, 22 Jul 2015 09:26:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 47C5D2075D; Wed, 22 Jul 2015 12:26:29 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QtoETmxthi3T; Wed, 22 Jul 2015 12:26:28 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 12:26:28 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 030B98867F; Wed, 22 Jul 2015 12:26:51 -0400 (EDT) From: Sam Hartman To: Leif Johansson References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> Date: Wed, 22 Jul 2015 12:26:51 -0400 In-Reply-To: <55AFC37D.1040607@mnt.se> (Leif Johansson's message of "Wed, 22 Jul 2015 18:23:25 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:28:20 -0000 >>>>> "Leif" == Leif Johansson writes: Leif> On 2015-07-22 18:20, Sam Hartman wrote: >>>>>>> "Leif" == Leif Johansson writes: Leif> (I am and was speaking entirely wo any chair hats on btw) >> >> Leif> Right but we _could_ add Endpoint and leave the work of Leif> specifying the URL format of radius radsec servers to whomever Leif> wanted to deploy it >> >> I'm very against that. It's not guaranteed to be interoperable >> without the URI and I don't think we'd have confidence in the >> semantics without going through the URI spec. Leif> Thats why we have the Binding parameter! If you don't Leif> understand the Binding then you can't use the Endpoint. No, my point is that until the URI is specified, it seems unlikely that two implementations would both work with this endpoint. I absolutely agree that it wouldn't break other bindings. But for example if one implementation wanted radsec://... and one wanted radius+tls://... then they wouldn't both be able to consume the same metadata. From nobody Wed Jul 22 09:31:06 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8392C1A8711 for ; Wed, 22 Jul 2015 09:31:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV18GsHutddS for ; Wed, 22 Jul 2015 09:30:57 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0791.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:791]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D837F1A8A4E for ; Wed, 22 Jul 2015 09:30:16 -0700 (PDT) Received: from BN1AFFO11FD034.protection.gbl (10.58.52.34) by BN1AFFO11HUB033.protection.gbl (10.58.52.144) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 16:29:59 +0000 Authentication-Results: spf=pass (sender IP is 164.107.81.222) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.222 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.222; helo=cio-tnc-pf08.osuad.osu.edu; Received: from cio-tnc-pf08.osuad.osu.edu (164.107.81.222) by BN1AFFO11FD034.mail.protection.outlook.com (10.58.52.158) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 16:29:59 +0000 Received: from CIO-TNC-HT08.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-tnc-pf08.osuad.osu.edu (Postfix) with ESMTPS id E47172E0036; Wed, 22 Jul 2015 12:29:57 -0400 (EDT) Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-TNC-HT08.osuad.osu.edu ([fe80::8431:784b:bd14:3d8%18]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 12:29:56 -0400 From: "Cantor, Scott" To: Sam Hartman , Leif Johansson Thread-Topic: [abfab] Direction Forward for aaa-saml Thread-Index: AQHQxJDZqOsHJ1Kgwk2OrlaTR/AXL53n3C2AgAAQHYD//73EgYAAQ+oA//+9jq2AAEPegP//vl+dAAAMf4A= Date: Wed, 22 Jul 2015 16:29:55 +0000 Message-ID: References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.14.100] Content-Type: text/plain; charset="utf-8" Content-ID: <7BDD492BC1E34143A197DCEFBE6B70B7@osu.edu> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD034; 1:HEGFh5pgCtvlDlRyIlaSjXMXKzTlAygT1CH6MkkpJ8IYA31rEgjQAKswy1eMuhs4BPwLtEy2pGgwTM6jJbzEG3HlgEy8FlJvwEej7C3Y6JpgVg4t7Oh4MJuaA9faqVLOEQaHsIAHcOSXkG2h5RBS2ZMDZ6frTG8Pw1o9Cg/jfvWAVt6WNQrEDE5wWtq/QxUqHTV9St2Aj3qiA9XGbkebOXljeRw5in8JzauNGIXoA9mvF3TRH0bHLO48A6JvjCfDoxsvz1s2pzEWs/IaDg9FWl+hjM0LqC9mxfcC5a6wg4xsEr60IPBidkdMsm9LGTrsu9Yb8D4Qe/onTjNSZ13nieEHQu82rQ2NuLJ6I3+BhBWCAUQqAZk5lvbvCKVzz7DqtP+WcnPlH848q1H2mThNhvtA31vzkidlwQbL/c1WwOg= X-Forefront-Antispam-Report: CIP:164.107.81.222; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(377454003)(24454002)(199003)(479174004)(189002)(106466001)(83716003)(82746002)(106116001)(50466002)(93346002)(5250100002)(87936001)(5001770100001)(5003600100002)(2656002)(189998001)(54356999)(77156002)(62966003)(76176999)(50986999)(23676002)(46102003)(75432002)(33656002)(92566002)(6806004)(2900100001)(19580405001)(102836002)(86362001)(2950100001)(93886004)(19580395003)(109096001)(89122001)(90282001)(36756003)(47776003)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1AFFO11HUB033; H:cio-tnc-pf08.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB033; 2:/vJcxXbkApidDGNTKUnigjqjhqRUKArROI5lLeVbEycMjMwqhxkh9bXFzjDqx+xZ; 3:cZ1g4nvIVciCyKL9lfOlTRtkqubJIT+cxisdQ2Sfd7Yi/3w2bgcF5l00lOtb9bWOznjjbL6qtIWyR2NezSe2sIRYyTBPWBCoPvSAsJ2OWHFTpR0iUS6W8mjKh45jw3x3gs/HtSchca/Z7M8VkNgRZQ4g+mmyySKwRj8aN/EOUvyGL3HyVqLRQ20Yd4UBqvWgi03ggvVpu3o0lJUObhWWk/hWO7syWjOvAkqbyVwoO9Evf6QJyiRuzPXJdoSG/zpE; 25:wUS7MK3oONJDo+HH9xt0Mkal6ZsJQYMjNr73yrAHZh1NT4AfjB4DRYvKCBVhVomBH5w6L1Ed05R6t5W3iHuW1lfTmxBjacngb+8ghAVRXhAIC2KqQTy/7TfH7XtSYyq+VrVR15UlKo+PdK7H80yVB33kUsPKiKIxLVK9vZ728L4g1sAyliJXuGSOJ796iMg3ZviIww9CMI47ZsFgUxQ4XjeE8l5tRHOUGLzB44k7nEIw4Th6tNq+No13OQo2ydQ8zuwxHugKMu3T5inUJ5Y3jA== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1AFFO11HUB033; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB033; 20:RxcaZ5IEwiWqlMrg/n2KyO/1N/nspZxikhHza2lNsDWjHfzZtbzF9pHtOPHmDK7zsUaV5dvrpIbU4ipQ+gt/VO2hUNXKfW60tt6ZnUa54yhVo/MCiLAM04ndMjJc0uTzoTjI/GlHgbDl4gk1jkXItQtYn5VZpVfuyq0pKWLnQD7b3+yvb+z6Nso4r18sJpLnzgFY5xDQbLe72IxbVT6Wb+HRTgTub1jo6jnsKnj3qUAYXnWHrJnHTy37BEYayU2+FVZ6HyKvA5vuQW0Ayhsg6ggZlU36G5q3RV78sKg64BsACey0xNYX3O9haMB1AraUrnzH8X9VVZCuFiMek+noDXjDUanluTwWoOcqUsluCMZY7FDL1EAjTLo7hkQxqudlLunvjxXCwl7F1vq+xCo1poXW2aGeDPsEcN1N3Jfb1Eb3SgHTwWRDmx0ny6htd9TjrqJ4XdsEUdNnaN1UtFypoOvdZ/gvMZWi4U8nhpMJ2FLN1n1cT4jUSp8MpJNjTaf6; 4:D3eyZj9eWw3CLqyTOpOu8fMG2zYdCcEY7Cgox91YTLfBVkambzHl2G3Tx6ACAg4d4J8vBsX4wAXbKp0LuVgZq70XWC5PDol5Ut6xcvfpUTz6cnQVPt+X++OWsJ9g/t3owgx8ZazW9TmjaMLSWQtC7y3aOSqd3i0+2smlzu3JuTt7T75c/BUHR0CDhayNuLEudIl3d3xP5+0unwjMoBT/pSfJ+vsWH6b+4GBuxUZ1//6dyffWAFPEBHdhdB4Bs70pAUa07qPAaPTO4nF6+geMTEpCfTzSZuN5Q2SmyHRrQHE= BN1AFFO11HUB033: X-MS-Exchange-Organization-RulesExecuted X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BN1AFFO11HUB033; BCL:0; PCL:0; RULEID:; SRVR:BN1AFFO11HUB033; X-Forefront-PRVS: 0645BEB7AA X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjFBRkZPMTFIVUIwMzM7MjM6MElaakdYR3lIK3VzK3YrSHZNZUFSZzBK?= =?utf-8?B?NEpSWUVMQ3pIU3ZCY2hKNkpEdGE4VW1PMVlIRGprcjZaaDlyOVdFcWpMbFo1?= =?utf-8?B?bGg2KzNEZWtEa0MwU2tnTkRYdUFoNUZ3YURyQ2JqRG53cTIveGNFWFFudFRM?= =?utf-8?B?bzBmajZVNHJjTmxjQ1oxUUhkZ2NFd1Ara1pKNnYyQjFDYm80bklabzM0NTQx?= =?utf-8?B?YkhtVFZCNHZqTUlhN2tZam8waTFndEdYdnNkUE1LdzU4RFJJTWVOSTdHdUp2?= =?utf-8?B?Z1ZBWUdsc0xZVi9Eczk0VjVzUEZqbjczNEVlakI0M25leTJaTTU5L09wcG13?= =?utf-8?B?TjQ3V1Y4akhYWmlLSS9TWkZwaXJYTzFnVGlrUHd6aUZZQyt6dlRNcjZnWjhw?= =?utf-8?B?RjRpaDROaHNWQmNOV1daclJOcTBZdTh0T3BDK0FUTGZtRkNsZVA4OWFkRUZP?= =?utf-8?B?UytBTVRjNFdrY1ZlbWFjNGJPbFVFdEMzUUcyTURCL2FwSzB1b0RCRGVrTFFl?= =?utf-8?B?V09XeEU3Q1MvQ3o1L3VFeHJrcWZTbXc1RXFBS1JtN2F1Nm9lVVdURy94OXVJ?= =?utf-8?B?Nmt2NzhoRGxxY2JOWDYxazFJdHRFaGh0M2Rrbm5TZXJERWJwOEgwbDVDYW5q?= =?utf-8?B?TUt3L2lNUFovenkyQVdRaER2ZWQ4U0Vjd0w2aHg1MllpdmVCZG82eTFYOUk1?= =?utf-8?B?RjIxTlNyZnMrSlZ0YU1GamsxY294aG1OUEZ5NnpNLzUxN1pXTlVvb29EZ3FY?= =?utf-8?B?d0FIK0J4MTVRSGlDQlpoSi9uVTN1ZzNDb045ZTQyQmpSc1RXM2NFNjZFV3h4?= =?utf-8?B?cGNvS0tvR21YaTk5WWcyZTRCVU1JV2gyY1p5ZEZPcGdhWnltampyM25LY0k5?= =?utf-8?B?T2NYbEt4bnpPMnY4RzYzN2JpL2FBZTBiWTBHN1ZIY2FhVUI2aVMxeDdqSS9t?= =?utf-8?B?Q0YwWU9BNkFKbVY5TU50V3UxeDRPUGcvSG5EWDJwT2htb1lYaDhtTGpCaW9s?= =?utf-8?B?SFplZXBJZEdibGtnbUNOWVBWU0laZjVGRGhINmxQcEJoRXZxemhET1VsTVcw?= =?utf-8?B?OHFETHVva3Q2bXBCZmNXc3d5cjB0TnNGL0psaDR3Q2krUjVNZnVxd2h1WHFK?= =?utf-8?B?YkhVZjJnSmkzeGJwakFicjJVUjJ3UjZpakU1dzVIcDEwUW5sWERZR3dwZ3Fi?= =?utf-8?B?Tm9YTTNaRXhLUEJJRDRMYUFVenE2SXhVa2gwT1lTZ0FidFhuZ2N2cUkzak9t?= =?utf-8?B?THJCcmVDSk4vVFdiYStyQVVsZzlmOEwza0NDejNJbEEra1ZLcWZBMS9kd2tH?= =?utf-8?B?QTFCcURmeml0bmVVZDhIVEMzcXkwVGN2OHV3R3VFbzYvaEFIVzhPU0VsaUx1?= =?utf-8?B?MGVlRVVFKyttdG5EakxKcXk3T2srRVU0VGJXa0I0dWZwZVd6ZXUwUVUzSzZR?= =?utf-8?B?cys2c3cxdWxrb0JRc2NKYXlMNnlQK05kVWQ4NVlOU3RhejFuZkJEOGs1WEEy?= =?utf-8?B?SEl6VWR5UDZWbGRuazFDUlBxMzNpN3U4a1czaURodnJtOUw1bDNZRjNrZ3ZP?= =?utf-8?Q?ylr?= X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB033; 5:HRKVAorQVlX+6cnSIJE9nthfdyLBcfvUpisA8thdJymlyiS7MUflow1JkTE/000C67WBlI8ScoE7S0MLG6fpOqCbMe+DdmduOCK0qIKHkyua+DMNRolt3pIKk6Fr/dXYnLqkbm8zGbv5lcP1gxrN2A==; 24:kU7edLNYoAz1/NhgoHhEbwyW+529oV9sZmnuEiak2ruUmxG5b7o+D8OgR8bXbQ0vtp6Hx+rDj/QY/W+GQJsNUvjOS71OQfMusfALahdJJYs= X-OriginatorOrg: osu.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 16:29:59.2534 (UTC) X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.222]; Helo=[cio-tnc-pf08.osuad.osu.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1AFFO11HUB033 Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:31:04 -0000 T24gNy8yMi8xNSwgMTI6MjYgUE0sICJhYmZhYiBvbiBiZWhhbGYgb2YgU2FtIEhhcnRtYW4iIDxh YmZhYi1ib3VuY2VzQGlldGYub3JnIG9uIGJlaGFsZiBvZiBoYXJ0bWFuc0BwYWlubGVzcy1zZWN1 cml0eS5jb20+IHdyb3RlOg0KDQoNCj4NCj4gICAgTGVpZj4gVGhhdHMgd2h5IHdlIGhhdmUgdGhl IEJpbmRpbmcgcGFyYW1ldGVyISBJZiB5b3UgZG9uJ3QNCj4gICAgTGVpZj4gdW5kZXJzdGFuZCB0 aGUgQmluZGluZyB0aGVuIHlvdSBjYW4ndCB1c2UgdGhlIEVuZHBvaW50Lg0KPg0KPk5vLCBteSBw b2ludCBpcyB0aGF0IHVudGlsIHRoZSBVUkkgaXMgc3BlY2lmaWVkLCBpdCBzZWVtcyB1bmxpa2Vs eSB0aGF0DQo+dHdvIGltcGxlbWVudGF0aW9ucyB3b3VsZCBib3RoIHdvcmsgd2l0aCB0aGlzIGVu ZHBvaW50Lg0KPkkgYWJzb2x1dGVseSBhZ3JlZSB0aGF0IGl0IHdvdWxkbid0IGJyZWFrIG90aGVy IGJpbmRpbmdzLg0KPkJ1dCBmb3IgZXhhbXBsZSBpZiBvbmUgaW1wbGVtZW50YXRpb24gd2FudGVk IHJhZHNlYzovLy4uLiBhbmQgb25lIHdhbnRlZA0KPnJhZGl1cyt0bHM6Ly8uLi4gdGhlbiB0aGV5 IHdvdWxkbid0IGJvdGggYmUgYWJsZSB0byBjb25zdW1lIHRoZSBzYW1lDQo+bWV0YWRhdGEuDQoN CkxlaWYncyBwb2ludCBpcyB0aGF0IGlmIHlvdSBkb24ndCBzcGVjaWZ5IGFueSBiaW5kaW5ncywg eW91IHdvbid0IGhhdmUgYW55IGludGVyb3AgaXNzdWUuIEJ1dCBpZiB5b3UgZG9uJ3QgYWNjb3Vu dCBmb3IgdGhlIGVuZHBvaW50IGVsZW1lbnQocykgaW4gdGhlIHNjaGVtYSwgeW91IGNhbid0IGFk ZCB0aGVtIGxhdGVyLg0KDQotLSBTY290dA0KDQo= From nobody Wed Jul 22 09:32:05 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A153F1A8870 for ; Wed, 22 Jul 2015 09:32:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Mxw-CylMub4 for ; Wed, 22 Jul 2015 09:32:02 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3FEA1A0020 for ; Wed, 22 Jul 2015 09:32:02 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 476342075D; Wed, 22 Jul 2015 12:31:36 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Si5TJcTN2Keh; Wed, 22 Jul 2015 12:31:35 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (dhcp-89db.meeting.ietf.org [31.133.137.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Jul 2015 12:31:35 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 073128867F; Wed, 22 Jul 2015 12:31:59 -0400 (EDT) From: Sam Hartman To: "Cantor\, Scott" References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> Date: Wed, 22 Jul 2015 12:31:59 -0400 In-Reply-To: (Scott Cantor's message of "Wed, 22 Jul 2015 16:29:55 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:32:04 -0000 >>>>> "Cantor," == Cantor, Scott writes: Cantor,> Leif's point is that if you don't specify any bindings, you Cantor,> won't have any interop issue. But if you don't account for Cantor,> the endpoint element(s) in the schema, you can't add them Cantor,> later. O, that's irritating. Thanks for explaining. I understand now. From nobody Wed Jul 22 09:32:15 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 225191A8A4A for ; Wed, 22 Jul 2015 09:32:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bB9BY2L8o7Gh for ; Wed, 22 Jul 2015 09:32:11 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2701A8870 for ; Wed, 22 Jul 2015 09:32:10 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6MGW9na018597 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 22 Jul 2015 18:32:09 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6MGW6m1024511 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 22 Jul 2015 18:32:08 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437582728; bh=0rG1yBGZKPhYRDnTp7hgFSuM99yrRbRuzff/SOdA/iI=; h=Date:From:To:Subject:References:In-Reply-To; b=IdDiQOfToFwaSXBI1DUWkqx/6+P4T2amjEYNrOfwZWQ8LXcFbaojFZBlyCqxjJf4w 3GSLr+xwudjzKGUg9QKqewI9ITyh4PRqJE1jRtzFL24FeE2igG5KAcwctvBcYFwfCW 8kBFlP1+gOekXBaz4DidEvZXyEbQrxfy8GvPuj58= X-Footer: c3VuZXQuc2U= Received: from [31.133.176.110] ([31.133.176.110]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 22 Jul 2015 18:32:06 +0200 Message-ID: <55AFC585.8070303@sunet.se> Date: Wed, 22 Jul 2015 18:32:05 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTsw9OX - 712080d2e802 - 20150722 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:32:13 -0000 On 2015-07-22 18:26, Sam Hartman wrote: >>>>>> "Leif" == Leif Johansson writes: > > Leif> On 2015-07-22 18:20, Sam Hartman wrote: > >>>>>>> "Leif" == Leif Johansson writes: > > Leif> (I am and was speaking entirely wo any chair hats on btw) > > >> > >> > Leif> Right but we _could_ add Endpoint and leave the work of > Leif> specifying the URL format of radius radsec servers to whomever > Leif> wanted to deploy it > >> > >> I'm very against that. It's not guaranteed to be interoperable > >> without the URI and I don't think we'd have confidence in the > >> semantics without going through the URI spec. > > Leif> Thats why we have the Binding parameter! If you don't > Leif> understand the Binding then you can't use the Endpoint. > > No, my point is that until the URI is specified, it seems unlikely that > two implementations would both work with this endpoint. Sure but that is no worse than any SAML deployment. Until you agree on the binding you can't talk. > I absolutely agree that it wouldn't break other bindings. > But for example if one implementation wanted radsec://... and one wanted > radius+tls://... then they wouldn't both be able to consume the same > metadata. > If they invented the same binding then yeah life would suck for them. Again: if somebody wants to use Location then have them define the binding and URL format. Done. Cheers Leif From nobody Wed Jul 22 09:32:34 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 672331A8A07 for ; Wed, 22 Jul 2015 09:32:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmH0fhf8435A for ; Wed, 22 Jul 2015 09:32:31 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52FC11A0020 for ; Wed, 22 Jul 2015 09:32:31 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6MGWTUS018651 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 22 Jul 2015 18:32:29 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6MGWQab012861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 22 Jul 2015 18:32:28 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437582748; bh=nD+9NCD6eZULbB/rMtHPowNbWHg9FJXbxQZN6k7tby4=; h=Date:From:To:Subject:References:In-Reply-To; b=HTzorCm9/3zh4PzOgPF54zCptouP2QZIAxj/MGpk+qvuyC/c/rPiGWT9YLCQf762W sGErYBJZUcpxstr5ey3aCXcbWsgEEhAUTtaaaBbBMzbmdJYz68XPBSd2G2SWtT8K9T Mxh7nYUsnEyBDUUnY5Mf/NKSv9cFOHXAspLfdu0c= X-Footer: c3VuZXQuc2U= Received: from [31.133.176.110] ([31.133.176.110]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 22 Jul 2015 18:32:24 +0200 Message-ID: <55AFC597.7040807@sunet.se> Date: Wed, 22 Jul 2015 18:32:23 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTswtPe - 5c6e1cb8acf2 - 20150722 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:32:32 -0000 On 2015-07-22 18:29, Cantor, Scott wrote: > On 7/22/15, 12:26 PM, "abfab on behalf of Sam Hartman" wrote: > > >> >> Leif> Thats why we have the Binding parameter! If you don't >> Leif> understand the Binding then you can't use the Endpoint. >> >> No, my point is that until the URI is specified, it seems unlikely that >> two implementations would both work with this endpoint. >> I absolutely agree that it wouldn't break other bindings. >> But for example if one implementation wanted radsec://... and one wanted >> radius+tls://... then they wouldn't both be able to consume the same >> metadata. > > Leif's point is that if you don't specify any bindings, you won't have any interop issue. But if you don't account for the endpoint element(s) in the schema, you can't add them later. just so From nobody Wed Jul 22 09:34:05 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B1B1B2A91 for ; Wed, 22 Jul 2015 09:34:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRVURggFLzBR for ; Wed, 22 Jul 2015 09:34:01 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D9211B2A89 for ; Wed, 22 Jul 2015 09:34:01 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6MGXxAw018848 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 22 Jul 2015 18:33:59 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6MGXuqD009891 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 22 Jul 2015 18:33:58 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437582838; bh=uHLiClEm3Hn8Wc8e0FnM7mCLWWBDR8+GwAib1M4g9y4=; h=Date:From:To:Subject:References:In-Reply-To; b=mO0+srB26LQFUjopDongwuHiGjMJoLrFbMAHy47b8z0V0rRX0slKrtwNgZDwUW/kV 2MyR2ogLA/82jMlxKTuS1UrKMLvX5eDQRt6MvqHHC0GO6P6uUfzeA0xWdY1fJZLyp6 heb4ulrKXWiw6J+DXh81A7jeLFapOP8t9+5Hyx7Y= X-Footer: c3VuZXQuc2U= Received: from [31.133.176.110] ([31.133.176.110]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 22 Jul 2015 18:33:54 +0200 Message-ID: <55AFC5F1.7050006@sunet.se> Date: Wed, 22 Jul 2015 18:33:53 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTsxXQ8 - 6000b9ff7c89 - 20150722 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:34:02 -0000 On 2015-07-22 18:31, Sam Hartman wrote: >>>>>> "Cantor," == Cantor, Scott writes: > > > Cantor,> Leif's point is that if you don't specify any bindings, you > Cantor,> won't have any interop issue. But if you don't account for > Cantor,> the endpoint element(s) in the schema, you can't add them > Cantor,> later. > > O, that's irritating. > Thanks for explaining. > I understand now. :-) From nobody Wed Jul 22 09:36:49 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0DC31A89FB for ; Wed, 22 Jul 2015 09:36:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7KcTbuNU3zH for ; Wed, 22 Jul 2015 09:36:41 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0728.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5061A8A9A for ; Wed, 22 Jul 2015 09:36:40 -0700 (PDT) Received: from BN1BFFO11FD008.protection.gbl (10.58.144.32) by BN1BFFO11HUB013.protection.gbl (10.58.144.160) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 16:36:24 +0000 Authentication-Results: spf=pass (sender IP is 164.107.81.220) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.220 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.220; helo=cio-tnc-pf06.osuad.osu.edu; Received: from cio-tnc-pf06.osuad.osu.edu (164.107.81.220) by BN1BFFO11FD008.mail.protection.outlook.com (10.58.144.71) with Microsoft SMTP Server (TLS) id 15.1.225.13 via Frontend Transport; Wed, 22 Jul 2015 16:36:23 +0000 Received: from CIO-KRC-HT04.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-tnc-pf06.osuad.osu.edu (Postfix) with ESMTPS id 124453C004C; Wed, 22 Jul 2015 12:34:08 -0400 (EDT) Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT04.osuad.osu.edu ([fe80::2d93:5c00:ad4e:861d%10]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 12:36:21 -0400 From: "Cantor, Scott" To: Sam Hartman Thread-Topic: [abfab] Direction Forward for aaa-saml Thread-Index: AQHQxJvuqOsHJ1Kgwk2OrlaTR/AXL53nr9yA Date: Wed, 22 Jul 2015 16:36:21 +0000 Message-ID: <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.14.100] Content-Type: text/plain; charset="utf-8" Content-ID: <5EA297FB7DB81148BF08421C2A171BFE@osu.edu> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD008; 1:RRIHzKNl6vQ81nDhba85QWpf8XprOsk7dG/m5I56nl74UENDWYeooonS3dygP2hccZndFAfGUGyGcKObRAGjC7yuVjPnFwE4HBac1tW6i2wEqHN4gF9kiG+dUR1uNuEQ0IZOloIdM6XoHgxPnN3ihrbtRuCzEroTDcwN2xekIVq91kGfD9RSYe2++TPD2OCKuoqqq2dBQZ8gNhfesEwIj/TyFaIaHIzw5D19ulFIJzxu5rah6JVJSYLmU5+KL33SW0P/BDfTALIGRdxnB3dDnXWeA3GMexSMKYI2EDBXYzQcDMBEGUwQHkw8Kv3YnXsA X-Forefront-Antispam-Report: CIP:164.107.81.220; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(377454003)(189002)(479174004)(24454002)(199003)(82746002)(77156002)(110136002)(90282001)(36756003)(6806004)(19580395003)(54356999)(93346002)(19580405001)(5003600100002)(50466002)(23676002)(83716003)(189998001)(75432002)(2656002)(87936001)(93886004)(92566002)(86362001)(76176999)(47776003)(66066001)(2950100001)(89122001)(102836002)(106466001)(5250100002)(109096001)(2900100001)(106116001)(50986999)(33656002)(46102003)(62966003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1BFFO11HUB013; H:cio-tnc-pf06.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11HUB013; 2:NaPry15/+13qYtjnpEWvIuznZj4y6nbiwNoe83pPhgQiN7usmB+C1+RbP73KTcyT; 3:oqXv/B9uyC0yLTn1N9F52LSC8hrxSyGVsX4tv63OiHmGO1nMwDX3/tvLKw5DrX+SQHeYim9e2SbttLEf7vMbSAUco36PGKp/g/QTixDBEZYspGhpHC0/4YraMdH11cUNjt2qBxnQOhEV1ZQcMV7qfAqF+VT7kT+FBAyQS2t6ANFzldGZnznjmhwSQokGcrvhisY0kvCJnJ6HOSnZnRQb85Cc06JvGe++rchrp0F2MLcKRjeu7weKmt8GLQXbXd50; 25:gsVe+byWN7u/RVcQJZWOSmhwSGjQiISZXBgEu2BQ/l1LkiFF3X3BQyCDAaG3F+qY7igCL5aemoFVxcJf7jxWaWwogvQqEaZ2YRkkbaNDVAaMgzyrYP51a26gK5E53ap5SqKj8/ZH4N/A9uIoRBT8QNBumIiGLAndsl7Ak5me0ZjTmB570BjDiMx3tgQqLP/EUdAWt0JyYyt85/JulNH1RVRVvFOXSLNqU/gQwra6jR90dL9YcPckYdN6c0TUdgkqrzk9rXiNJeq2nDEM+Z2/AQ== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1BFFO11HUB013; X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11HUB013; 20:dBYxAp3cIF6NX9Vx7OWkpHh+M+yUtJ+UrLjKBtqW6fEevElXaj9GuzcTeOapLKwYSv4Rpu4vLcPw8y6UAkgiOtzUmqvjcQrWLZFO0JZKBlJZ6tFn0sR932MYgQDGAtyMtxMOkUIDSvhx+QyOmGk2/z/tsI4kEKCuUm/D2fn8X3tC4UEw88e3vo5NFeBhtCphaylmanVFjut+/8XAj3REmXYigPDTLMKUtY58h+pnwfM8YTAxe+sZmEctHD8kLfuKjwxonObxObrlQkvzsbiOt6dL+Omi1LTDpPoTgoE3klUWRCBvXxk+SudU5aw2n1jtXhu5c3l05OmRMse0mkpyvubxTZgyJAo0HlSeVMa7ZIsGHxJofRV5hyml2mFXLeNBck3+yjZ2k/9OimTIeyCNq/gKgmoB+C4B/cCUQcXP1aiyYwKe493w+OTbBO1FlpHExq0ERx2EuxnGDCOWnNGAJrtANAbHnRgGWD+ZAe4og8z8cBSDGf8DsFZAFHBqOkb9; 4:+atio1NdXl07WQvwvpmvup3JfxkJry8HqT1wJT+yy7kjmgnl6hzyZlPzikCIHI5fL/8t474akmRJGBeGhObTF3N8F4u+7axpEyqN4uxh2GL9Hwde3k1/0eaFpeh7ve6MZR5bJfnFkjW6CafGzogtZhZTvPb/2aZB0MgVbvSZeXtCFdIs6y+HmlM/IhSwLkb3aV03kk1tZqhgBYZdkp+MLJ9Pt1hfRfbpBxpo0743twuf2Iu5Ug2VI0UfD/DCxg4y55ayKVYNu6HcCatyKdoaqZRfC6H0LOK8A3Z4D+rDGAw= BN1BFFO11HUB013: X-MS-Exchange-Organization-RulesExecuted X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BN1BFFO11HUB013; BCL:0; PCL:0; RULEID:; SRVR:BN1BFFO11HUB013; X-Forefront-PRVS: 0645BEB7AA X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjFCRkZPMTFIVUIwMTM7MjM6OW1tTUdWbXhGLzBBWlVhcmx0RkdwbGFD?= =?utf-8?B?NVk4VFhDTSt2eG5RQUhvUmUzVHd3TEJtRWEwR2ZuZW0wOVdFU2J6MjRaRnda?= =?utf-8?B?SHRWNnFDVXQ4ZzRTQ3RDdmNnSzdoR0xVYjZodFlNZ3VXd2dYbkV3aEpvNUw2?= =?utf-8?B?aTRTbWo3dC9TUGljZVk2WnNENW84ajJuNlM0SnVIK2FrQzFURjZxTHY0am93?= =?utf-8?B?Y3VXMkZDbUhHU1dqUWJPM0owSHJrR2Ixdm1jVnlpS3k1eWw0cXAyM25QSmdn?= =?utf-8?B?eEQxR3dKYzlKc3VuR1ZLTnVpSDVvdkU2Rit2MWw3eURwQzBVVE55eHFTakZ4?= =?utf-8?B?NGN2Vk9ZakMyOHFCMUdEUGJYcmQ3cHN2MWk5ZitQdG00cTFNZXlieHlZbDRK?= =?utf-8?B?dTQyaGNGRS9MSk1xR3h3VE9JcEVBbU5Ja1A1TWVSTDdjcWNFVjZBUlY2ZjdM?= =?utf-8?B?U2JHaE8weTArR2o4bmdzSlFGOTVMTW5rQUJMOTFEeFVyTFBuMWx1N0R4ZHdo?= =?utf-8?B?L0pFekJyU2d4K3lERWd6bUd4WjFmUjF0b3ZwWWsrWmtXZXVTVXdIdXpoOXph?= =?utf-8?B?b1VYMVpLblIwNTAxM2ZSeXd6ZVRVR21XVDhVUERhais1VWpkcjlpeXg3UzJL?= =?utf-8?B?d0lZMTJhUktZNjZMQzNPbXBKVlhOdmtlaXJKWjZNeWg0WVV0S2VLbmo4Z2Jj?= =?utf-8?B?SlJwK0R3VXRWME5lbUJlYy9zN3VHWU9Bc1dPalRJZXgrcERIUGxGbHBBbnNl?= =?utf-8?B?eUpPWWxMak5nV0M0QjdaUjBXQmt6cFgwOTdhVUxmRVMrVk43TDg4eTJkMGFr?= =?utf-8?B?K21oM3A1c3RqR2xVWWRBWkZKYjZTMnJ3Mlk4MXVKVll0bTlvZVFTaUlydTFp?= =?utf-8?B?ckVvMGF6a2pBek11dzRTK3lmNjIzM1daVE1xTHF4clovSlRlbGtoMkFxWjcx?= =?utf-8?B?c0l1ZE5QR3VCOW5xQlZxd1ptZGtqSXFDMDVsbEZUWmVUSkZaTnRyekZQL3pQ?= =?utf-8?B?ekl4TTg4K25qZ3h3ZnZoQmMwdjAyWjNhdHlwd0dZNllJVXVMZTlRVlp1aWlq?= =?utf-8?B?QnhQL3hKek9XZkhmRmlWdlFMbkt0QWl6ZDFDZW93STNxUUl4MmtsQ2czcU1Y?= =?utf-8?B?VlJXY2xySnllN0U4em5iRjlZZlg3VVlrR2trM0FtckU0bWdhcHhVN216c2hT?= =?utf-8?B?UXBzY3pzSTFOUkVzVWhRMTVkYTNTa1JVNjNmSzE0MmExeHJCU0ZaWXplSi8w?= =?utf-8?B?VzhQa1BMYkxrY1ZORWpxSWI5dzd2MDRWcUlYemlkT1JpN0NhVjhnbXlSV0di?= =?utf-8?B?TndhK0tpV3VzQ0V3Z1pHVkY0YndKUjdJOVE5bkI5dnZPR1ZjWHVYdm9POTgr?= =?utf-8?B?WWYyTlNYV1JvWk1ZSTZ0MXdwR0pzaDZ2TE0rWFlMa3dKd1pNQXIrblZlaXgw?= =?utf-8?B?OVdrdURVNEMvUEQ4YlV1UVg1QVNma0NhWitSa0UwbTRKS2FUamljRXZkMlpm?= =?utf-8?Q?zIchBGhbsnNFvBH9YN6NTeBiwXo=3D?= X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11HUB013; 5:xuL9TMn8IpYCMb5SjO3+ao2gP01YGODqmJTmyVqGCqchdJGJL9sNEr23XraGRohNYpY4PHRxzsxsVcCtmBsMe50mDT8HSoz8IX5eYFGl/EkUArb0wUNehPO4mRMKkcZbcoFkBV8MDPaQAUzG5xCwYg==; 24:Krjb6q7cCr5yxrNytttIg+zABcX2uCMLRAyU/IjFS3dg4EeTEI0MuznG0PHL5nY+Gou49VXRb2a6B0rUF3ccnY7om9HvyPoMbSxxbkbeaqE= X-OriginatorOrg: osu.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 16:36:23.8171 (UTC) X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.220]; Helo=[cio-tnc-pf06.osuad.osu.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1BFFO11HUB013 Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:36:43 -0000 DQoNCg0KDQoNCk9uIDcvMjIvMTUsIDEyOjMxIFBNLCAiU2FtIEhhcnRtYW4iIDxoYXJ0bWFuc0Bw YWlubGVzcy1zZWN1cml0eS5jb20+IHdyb3RlOg0KDQo+Pj4+Pj4gIkNhbnRvciwiID09IENhbnRv ciwgU2NvdHQgPGNhbnRvci4yQG9zdS5lZHU+IHdyaXRlczoNCj4NCj4NCj4gICAgQ2FudG9yLD4g TGVpZidzIHBvaW50IGlzIHRoYXQgaWYgeW91IGRvbid0IHNwZWNpZnkgYW55IGJpbmRpbmdzLCB5 b3UNCj4gICAgQ2FudG9yLD4gd29uJ3QgaGF2ZSBhbnkgaW50ZXJvcCBpc3N1ZS4gQnV0IGlmIHlv dSBkb24ndCBhY2NvdW50IGZvcg0KPiAgICBDYW50b3IsPiB0aGUgZW5kcG9pbnQgZWxlbWVudChz KSBpbiB0aGUgc2NoZW1hLCB5b3UgY2FuJ3QgYWRkIHRoZW0NCj4gICAgQ2FudG9yLD4gbGF0ZXIu DQo+DQo+TywgdGhhdCdzIGlycml0YXRpbmcuDQoNCldlbGwsIGl0J3Mgbm90IGFuIGFic29sdXRl LCB5b3UgY291bGQgZG8gZXh0ZW5zaW9ucyB0byBnZXQgdGhlbSBpbiBsYXRlciwgYnV0IGl0J3Mg YW5ub3lpbmcgdG8gaGF2ZSB0byBkbyB0aGF0IGlmIHlvdSBhY3R1YWxseSBoYXZlIGEgdGVjaG5p Y2FsIHJhdGlvbmFsZSBmb3IgZGVmaW5pbmcgYW4gZW5kcG9pbnQgdHlwZSB1cCBmcm9udC4gSXQn cyBiZXR0ZXIgdG8ganVzdCBkbyBpdCBzbyBpdCdzIGEgd2VsbC1kZWZpbmVkIGVsZW1lbnQgYW5k IG5vdCBidXJpZWQgaW5zaWRlIGFuIGV4dGVuc2lvbi4NCg0KT2YgY291cnNlLCB5b3UgY2FuIG1h a2UgdGhlbSBtaW5PY2N1cnM9IjAiIGluaXRpYWxseSBzbyB0aGV5J3JlIG9wdGlvbmFsIGFuZCBk b24ndCBtYXR0ZXIgZm9yIG5vdy4NCg0KLS0gU2NvdHQNCg0K From nobody Wed Jul 22 09:55:35 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ECFD1A8A9A for ; Wed, 22 Jul 2015 09:55:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5fKkgvgfEVu for ; Wed, 22 Jul 2015 09:55:32 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C131A1A1B28 for ; Wed, 22 Jul 2015 09:55:31 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6MGtTjV023254 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 22 Jul 2015 18:55:29 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6MGtQvJ016972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 22 Jul 2015 18:55:29 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437584129; bh=2NFpmWDUJHgaGVs3mZVo+vaBRd61T4CdRoIpWfY1WQM=; h=Date:From:To:Subject:References:In-Reply-To; b=DUzUgBPN6qtvrgtPwlmjBv5Bo35C7hfKSWDaBYGY24O4MzX1YKkqIzuHaSGjFvnVS YE0FzSVGWUPgDBBZy3RMjg+4aZbjh8gDcZwXNch7Jr+nii2jW4Fp1Nlg+QEQ/yXNYn fZNAIZKzZkB+2WwElOy3Gu5mrptUqtTDWTsohcdc= X-Footer: c3VuZXQuc2U= Received: from [31.133.176.110] ([31.133.176.110]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Wed, 22 Jul 2015 18:55:24 +0200 Message-ID: <55AFCAFC.6010903@sunet.se> Date: Wed, 22 Jul 2015 18:55:24 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> In-Reply-To: <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTsTt3w - 05e1be0809af - 20150722 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 16:55:33 -0000 On 2015-07-22 18:36, Cantor, Scott wrote: > > > > > > On 7/22/15, 12:31 PM, "Sam Hartman" wrote: > >>>>>>> "Cantor," == Cantor, Scott writes: >> >> >> Cantor,> Leif's point is that if you don't specify any bindings, you >> Cantor,> won't have any interop issue. But if you don't account for >> Cantor,> the endpoint element(s) in the schema, you can't add them >> Cantor,> later. >> >> O, that's irritating. > > Well, it's not an absolute, you could do extensions to get them in later, but it's annoying to have to do that if you actually have a technical rationale for defining an endpoint type up front. It's better to just do it so it's a well-defined element and not buried inside an extension. > > Of course, you can make them minOccurs="0" initially so they're optional and don't matter for now. That was my thought From nobody Wed Jul 22 14:28:55 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08EB1B2E9E for ; Wed, 22 Jul 2015 14:28:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAJue_4WYujz for ; Wed, 22 Jul 2015 14:28:51 -0700 (PDT) Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id 2532D1B2E60 for ; Wed, 22 Jul 2015 14:28:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id 26E6E1CC4 for ; Wed, 22 Jul 2015 23:28:49 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon22.um.es Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1mGuEWc80JvS for ; Wed, 22 Jul 2015 23:28:49 +0200 (CEST) Received: from [192.168.20.74] (186.160.broadband14.iol.cz [90.181.160.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon22.um.es (Postfix) with ESMTPSA id DF357A7F for ; Wed, 22 Jul 2015 23:28:46 +0200 (CEST) To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> <55AFCAFC.6010903@sunet.se> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55B00B0C.60005@um.es> Date: Wed, 22 Jul 2015 23:28:44 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <55AFCAFC.6010903@sunet.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 21:28:53 -0000 El 22/07/15 a las 18:55, Leif Johansson escribió: > On 2015-07-22 18:36, Cantor, Scott wrote: >> >> >> >> >> On 7/22/15, 12:31 PM, "Sam Hartman" wrote: >> >>>>>>>> "Cantor," == Cantor, Scott writes: >>> >>> Cantor,> Leif's point is that if you don't specify any bindings, you >>> Cantor,> won't have any interop issue. But if you don't account for >>> Cantor,> the endpoint element(s) in the schema, you can't add them >>> Cantor,> later. >>> >>> O, that's irritating. >> Well, it's not an absolute, you could do extensions to get them in later, but it's annoying to have to do that if you actually have a technical rationale for defining an endpoint type up front. It's better to just do it so it's a well-defined element and not buried inside an extension. >> >> Of course, you can make them minOccurs="0" initially so they're optional and don't matter for now. Let me try to summarize, so I have a clear picture of what the next steps are: in addition to add the new elements to the RADIUSIDPDescriptor and RADIUSRPDescriptor subtypes to include the naming information, we can keep the RADIUSIDPService and RADIUSRPService elements that I already defined (of type EndpointType, with minOccurs="0"), as a provision for the future use of locators/endpoints. We don't need to specify the specific URI format yet. Am I correct? I have an additional question though. Leif mentioned that the URI format of the Locator attribute will be determined by the value of the Binding attribute, which is true. But, since in this document and section we are specifically defining the "urn:ietf:params:abfab:bindings:radius" Binding, shouldn't it be fixed to that value? Regards, Alejandro > > That was my thought > > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From nobody Wed Jul 22 15:27:07 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 698E21B2F46 for ; Wed, 22 Jul 2015 15:27:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.601 X-Spam-Level: X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IQo3A8uyyPT for ; Wed, 22 Jul 2015 15:27:05 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0798.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:798]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A814E1B2F48 for ; Wed, 22 Jul 2015 15:27:04 -0700 (PDT) Received: from BY2FFO11FD042.protection.gbl (10.1.14.32) by BY2FFO11HUB002.protection.gbl (10.1.14.144) with Microsoft SMTP Server (TLS) id 15.1.225.13; Wed, 22 Jul 2015 22:26:43 +0000 Authentication-Results: spf=pass (sender IP is 164.107.81.216) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.216 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.216; helo=cio-tnc-pf02.osuad.osu.edu; Received: from cio-tnc-pf02.osuad.osu.edu (164.107.81.216) by BY2FFO11FD042.mail.protection.outlook.com (10.1.14.227) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 22:26:43 +0000 Received: from CIO-KRC-HT01.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-tnc-pf02.osuad.osu.edu (Postfix) with ESMTPS id 2547C20053; Wed, 22 Jul 2015 18:26:42 -0400 (EDT) Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT01.osuad.osu.edu ([fe80::6d8f:7dea:5691:1620%12]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 18:26:41 -0400 From: "Cantor, Scott" To: =?utf-8?B?QWxlamFuZHJvIFDDqXJleiBNw6luZGV6?= , "abfab@ietf.org" Thread-Topic: [abfab] Direction Forward for aaa-saml Thread-Index: AQHQxJvuqOsHJ1Kgwk2OrlaTR/AXL53nr9yAgABRwhuAABAfAA== Date: Wed, 22 Jul 2015 22:26:40 +0000 Message-ID: <1C7B22EA-86BF-4161-9432-086144964E98@osu.edu> References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> <55AFCAFC.6010903@sunet.se> <55B00B0C.60005@um.es> In-Reply-To: <55B00B0C.60005@um.es> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.14.100] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD042; 1:l4Oe70GiGA7ODMFr8fp36hM3RzAx1MsambCzm3P/0L/iU0p/sQJ9bqrpYu6PuZddinemvt9TrNPKvVucTwvFc2veKGmfgjw6x8jPR1NqJTjmFPpYKTmyNcTT/PkYw6kvDAkDI0LNhO6XOaCqkwkByysAYx/gM95MYhokROsflMgumPPcYWTHTd9Ws45LHIuiqW2CBdn0ZtKjE8tf1+IioJ54RJvGWXqguhSxcG2DwbmClQIkHIqV7shaFNy8/uZNVz42ghVvc+gAHYr5ex9DT9xjGWJ7jl7ibfGMI7Y5FZHZChL5Fwb91+4LTzwvxopAfizG0kFkkx6ETnEdcuPZe9xxUjkGFkB3MgMohce4PyEX2MjcCtce14alGDxym+jjV1XGt6Z5GYZbGS9nXvmBeg+OSevFN2zvy6kOVzqPIGY= X-Forefront-Antispam-Report: CIP:164.107.81.216; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(479174004)(24454002)(199003)(189002)(377454003)(106116001)(5250100002)(93886004)(5001920100001)(2501003)(5001770100001)(46102003)(23676002)(36756003)(102836002)(88552001)(50466002)(75432002)(2950100001)(90282001)(2900100001)(106466001)(93346002)(107886002)(47776003)(19580405001)(92566002)(86362001)(19580395003)(6806004)(189998001)(77156002)(62966003)(66066001)(87936001)(82746002)(2656002)(83716003)(50986999)(54356999)(76176999)(33656002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB002; H:cio-tnc-pf02.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB002; 2:CuN8s+rHo8lD6p1JIqFoOjb4zDTVsDDW3XppuWXBSLG7NOFHDXHxHtfHSIz7v1ashat+vFnD0sjQWuTpF4zNAo7hVsJ6du40Q/T/2AXsoyfppst5DZF2Rzm/+b/0TZNtusn3C0sVkfcPESjvOgx3YUnS5scG/2izaALiZsks0bI=; 3:cng16epEhfaeJr0Ttk0pdNpI252xv2Kw7f0D/CoeAhDIQMvCKBETv9crY7c7Fss2EtSFFyl6mxg6isfgBixUqja2xCPJmskDWVAhnH3oUAa13bvXWMVK1UcKrIocubXviyThlULwtvxe9xBuFDe0zAt/w+H6Gic8AYn8cF0TAHcl7L9pToJWJ6bALHmNwr6bNpOT+tkvqoLt9kHPD9HXOY/16+NdMKfG/yZWMETxCdRLXIeaA/1OZa4Lhcx0j7Ej; 25:xXfkueC3Gtb/BuPeqfgIzgbG0pgtZr2EF7TENqTodZtGrFYHJUXcZOK/4vQjyquREWreuCb1ufsiCVUtsCkJGJ58LJarYGWV2HyVR56bA8GQeQBt2UKdCKJMt+O5VuYcsjRnjwsmKFzRrn8mXXxOUK0qsfYEr7WOEZRvIBIkwf56zU4cJCp3VlHN9m70bmMcD1SVM0pCCg+XxG1UVprVNdJ/liNLBxEmyqF5f2A/LNQqZ4WkgaxXlwteI42h+N9h9Za/AHmxa5qGlNbcZbvkMg== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB002; X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB002; 20:SUCSiW6J48ImSj8HvS/ptQwJwIQszF/MkLflCRvuzsXpfJ1hF2jomBdzcll4Lg86EpceUtIKCBJIF3GiKIh61X6OGVcfgitI3gBAmJASdeVhdkZm8IXNwkY1SSJ+Y6f95OHIntbLxIxWeHFNPHP+QlC3uZyuLWgI4iAmtYLdW2F73jnFL/8LIZPzSjah+iRTDRZiZ4jV4QTQ5JGDhiYgoq5ZSjhX7ot1ArGjXy/hKPhdLJNb691W+oF9sGmmXHlT+d/2rZfkzdUgEdfHe2DL+L2RA9++9xDeBvdpei7zZ6+G/v4Lk7bvfyl9taf76jMiVE8t+9ttwDDc0R/YSp0T2xrjjrorCyRN5+DQwitC6XMMLrgeWdjSq5oXehzK+1rce+Q5DI76+KWjAq5Mmjdb7R3oiYpSuwBAOw7g1VJkjZ1XnDp7+KVvUfGXRzQ8ITL7xwohSrldPx9FNIzQHeZ+mn2hMFTXfx7ytXNrARnYI0QUtuLADFnHR1OQ4xgKbqyY; 4:E06P7AAdtOunlZS93rsdaeXeywPSCGU9fFPCwLGxQYTyN6LQD8Tq1v4BDE51qsThiJTzMq2d+NXFNlQNTaJqnK379cRzQVbe9Fv4ZAxN/HUHY7uCpIsiCBv4+RF3R36wkiCLwbg1YmEOEGWBLJSTLEOWfDTANTha4QkcieRcwkRlLxiQwA5VK8BU5W17ntcWio7h16BpExj7x5PglulxNr0yN5lTpZ8/ozDye9X81FzXDNzA5HI4ydfcD2+9YpBI85buftjNBQzL3VsN5C7Qp4In2RDSlDyLVBmFfxrKK14= BY2FFO11HUB002: X-MS-Exchange-Organization-RulesExecuted X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2FFO11HUB002; BCL:0; PCL:0; RULEID:; SRVR:BY2FFO11HUB002; X-Forefront-PRVS: 0645BEB7AA X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCWTJGRk8xMUhVQjAwMjsyMzo1VVBVK0NUb20zc0lWcVpkWU4xSmU1NVhG?= =?utf-8?B?QnFlQ3hyTW1vMnJRTkNYdlNLMk9tcEpGaGVTNkUvaFpSYzQvbThlNUJpUXRB?= =?utf-8?B?aG1VdHF2bmwxRStNVFJ2dk5ZTnlpN3RpS005eG9LSVFpZjRTU25tNzRJT05y?= =?utf-8?B?THYrWnYrZ0FzU0JtQVdmYmZSQmdlaWs5ZEVkS2ZPakhmUVFvVURLM2ZXekFE?= =?utf-8?B?WjZla0NvT0ljdysvRGpHUFZYeWtGak0xbmNOaVFCMGwrNS9zd3RsQmZxMi9Q?= =?utf-8?B?L1d2Yi9PQ2xqM0EwaVBDS2dwMVhSSUpqdDRWaGI5NWxMbzI5UEFaS1hkanRR?= =?utf-8?B?UktNdHVMSmZPRVdoV2RVWjQzV1A0bDhUVldUUncxYjhFaHo3cTBUbEVMKzZR?= =?utf-8?B?eThwVWdLZ2hzaEVHbnFRR1k5ZndMVXg0blJ1eEhoS0FvVWpSS2FVdm9xZ3Jq?= =?utf-8?B?YzVQTHlNelArUmRTVWlkdXBqZ0F2WVZlY1kvcCtjd1krWkV2SGlBek8yWDNX?= =?utf-8?B?aXJZU1RUeFdVdXAzZU5GeTdGSkFUa291U1I3b3ZJeDdHc3AvQnkxSGZMSElr?= =?utf-8?B?YjZSKzBHdlVOMkM3RDRMS01xS3Nzc0tqZkdrbkJLQ1k3NVVmSG1yYmZ4SC82?= =?utf-8?B?L3dSOFZEMWJ6dWg4MGpwMGE2Z2ZqREcvOTFxWGtabTBxZjgvVVV4Y1JPNFJk?= =?utf-8?B?OHRjTXZvYm9FbkwzaHVrVWhMbVFIaXY5a1hZS0g4T0w0VWt5c0hWbWF0YU1P?= =?utf-8?B?dDNReVUyY1hyYktaQmNkYXN4MCs2QUVtbFhPR3JmWHZhc0ZTci9uRDJRMmJt?= =?utf-8?B?Tm5td0w3WXZuVUNEVit5NjVmKzl5MnBBM2hPbTlPNWFReXh4ZXNvcUl0RUdj?= =?utf-8?B?RWdaMFkzOHZsNnZWaXl4T2VPeVRCQ3NCWjVrdkpuMlNwWHhndnJnV25pVThO?= =?utf-8?B?dm1xQzEyRXJqSWNkUVBFT01DL3M3WEx2VjlsV1J3a1RDQk1wWG93NFh4THFr?= =?utf-8?B?UDdXS2Z4Z0U4eTdCMHFxaHFCMVdQVGhMd25XYUtxZ3MvN0EyU3o2TS9mazRn?= =?utf-8?B?ZjlDaDZYMUIyWXRjbVpSeW8rS1laUVo2cVIxR3BEYmt5R2VmRG5lSFFMem1P?= =?utf-8?B?Mlp4SWJ2TmpNUk0vM3c1TERpakdHd3JHYWhrN2hMdVo0SzhGMnRXZXh4VUJ1?= =?utf-8?B?cjZnczhRbkowZmcvZVZQejZjbnErQ2NsbWpSRWhFRmd2N2lzZitLRXpjeC81?= =?utf-8?B?M0tiSThITndwZ2tvWk1TcmZQdVA2VUVQd0FhUWp1R011dWZackNhWVY5Q3FB?= =?utf-8?B?Y0w4VmswYnZJU0VaSTBqYjRSY0RTZFowZTJLUm9tVUoyM3JJVGQ1UGtHa2x6?= =?utf-8?B?U0FjcGU0VEdwdkU2dEp2ZkFPamF0VkZxNkdIdWVkRXZuZkUvQXl1K3dBR05P?= =?utf-8?B?Z2tJbkdtRjcyamhXMXg5Q1V4VllwdjZYTDBlbmJsbkhzVi9WMysvK2VaQVkw?= =?utf-8?B?Z2o5NmZhbGpRR0hzcHdlM1Q3eFVHamFSVVhSaU1YM3ZJTXNrRWEvNVNXRldO?= =?utf-8?B?Q2w2VW80bTBlVWlodHRqcUJYcFJmTTdnPT0=?= X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB002; 5:ZAv4ztfDwwG/7aiSTn5g5/N7dMck7l2U8kNcxh+AQ/Ad0oqlY/QIJahEhmrklv8TJO2dlVxxlubBLvo0CbVnFxS/xA04ehfJMhBqygY5w0iv7K+O8CpP/P584xlCeYCwu8Xz2CNoRJVNemWhDPIw7Q==; 24:WQz1aZjGR/Sx7hDPKQedVYofcG/6RF0k4mbsvh+EwRPr4Ce40GAHJ5wBqhvm7JDy5hVW3hrzaROR3pXKzpiwgFBdUPGgYN0AgSvDbB/UPSs= X-OriginatorOrg: osu.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 22:26:43.2239 (UTC) X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.216]; Helo=[cio-tnc-pf02.osuad.osu.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2FFO11HUB002 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 22:27:06 -0000 T24gNy8yMi8xNSwgNToyOCBQTSwgImFiZmFiIG9uIGJlaGFsZiBvZiBBbGVqYW5kcm8gUMOpcmV6 IE3DqW5kZXoiIDxhYmZhYi1ib3VuY2VzQGlldGYub3JnIG9uIGJlaGFsZiBvZiBhbGV4QHVtLmVz PiB3cm90ZToNCg0KDQoNCj5pbiBhZGRpdGlvbiB0byBhZGQgdGhlIG5ldyBlbGVtZW50cyB0byB0 aGUgUkFESVVTSURQRGVzY3JpcHRvciBhbmQgDQo+UkFESVVTUlBEZXNjcmlwdG9yIHN1YnR5cGVz IHRvIGluY2x1ZGUgdGhlIG5hbWluZyBpbmZvcm1hdGlvbiwgd2UgY2FuIA0KPmtlZXAgdGhlIFJB RElVU0lEUFNlcnZpY2UgYW5kIFJBRElVU1JQU2VydmljZSBlbGVtZW50cyB0aGF0IEkgYWxyZWFk eSANCj5kZWZpbmVkIChvZiB0eXBlIEVuZHBvaW50VHlwZSwgd2l0aCBtaW5PY2N1cnM9IjAiKSwg YXMgYSBwcm92aXNpb24gZm9yIA0KPnRoZSBmdXR1cmUgdXNlIG9mIGxvY2F0b3JzL2VuZHBvaW50 cy4gV2UgZG9uJ3QgbmVlZCB0byBzcGVjaWZ5IHRoZSANCj5zcGVjaWZpYyBVUkkgZm9ybWF0IHll dC4gQW0gSSBjb3JyZWN0Pw0KDQpJIHRoaW5rIHNvLg0KDQo+SSBoYXZlIGFuIGFkZGl0aW9uYWwg cXVlc3Rpb24gdGhvdWdoLiBMZWlmIG1lbnRpb25lZCB0aGF0IHRoZSBVUkkgZm9ybWF0IA0KPm9m IHRoZSBMb2NhdG9yIGF0dHJpYnV0ZSB3aWxsIGJlIGRldGVybWluZWQgYnkgdGhlIHZhbHVlIG9m IHRoZSBCaW5kaW5nIA0KPmF0dHJpYnV0ZSwgd2hpY2ggaXMgdHJ1ZS4gQnV0LCBzaW5jZSBpbiB0 aGlzIGRvY3VtZW50IGFuZCBzZWN0aW9uIHdlIGFyZSANCj5zcGVjaWZpY2FsbHkgZGVmaW5pbmcg dGhlICJ1cm46aWV0ZjpwYXJhbXM6YWJmYWI6YmluZGluZ3M6cmFkaXVzIiANCj5CaW5kaW5nLCBz aG91bGRuJ3QgaXQgYmUgZml4ZWQgdG8gdGhhdCB2YWx1ZT8NCg0KTm8sIHlvdSB3b3VsZG4ndCBj b25zdHJhaW4gdGhlIEJpbmRpbmcgZXZlbiBpZiB5b3Ugd2VyZSBkZWZpbmluZyB0aGUgd2hvbGUg dGhpbmcgbm93LCB0aGF0IHdvdWxkIHByZWNsdWRlIGV4dGVuc2liaWxpdHkgbGF0ZXIuDQoNClRo ZXJlJ3Mgbm8gbmVlZCB0bywgYW55IEJpbmRpbmcgdmFsdWUgc29tZWJvZHkgZG9lc24ndCB1bmRl cnN0YW5kIGlzIGp1c3QgaWdub3JlZC4NCg0KLS0gU2NvdHQNCg0K From nobody Thu Jul 23 00:22:18 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E671A88D9 for ; Thu, 23 Jul 2015 00:22:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.661 X-Spam-Level: X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AWXWmcgQXIP for ; Thu, 23 Jul 2015 00:22:16 -0700 (PDT) Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C9FF1A88EB for ; Thu, 23 Jul 2015 00:19:26 -0700 (PDT) Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6N7JOTx026067 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 23 Jul 2015 09:19:24 +0200 Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t6N7JLL3005095 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 23 Jul 2015 09:19:24 +0200 (CEST) VBR-Info: md=sunet.se; mc=all; mv=swamid.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1437635964; bh=qt5zvlorTWDHKX258pEgu+afgUujS9qjeNMT7IUBDTY=; h=Date:From:To:Subject:References:In-Reply-To; b=1Ot2MpGjTTJJnv3N3qEhe8KkHOzNK6pWGYK+RSyfoSRhmXoz1ukDih9NahcmKcdGW fQpMZxIvrPjnP0MQ/G6OuUiOveqzcjD7Q5lI2IF05nvdBMG016/3zLYEoBF+QbEscv hBbdi7m2GmVjWLYtEhgYbnOvyPA9bfWyXx6OYcfQ= X-Footer: c3VuZXQuc2U= Received: from [31.133.170.111] ([31.133.170.111]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for abfab@ietf.org; Thu, 23 Jul 2015 09:19:21 +0200 Message-ID: <55B09578.2000107@sunet.se> Date: Thu, 23 Jul 2015 09:19:20 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: abfab@ietf.org References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> <55AFC24C.3070205@sunet.se> <55AFC37D.1040607@mnt.se> <27CB306A-81E3-496E-8CBE-461CC58B8352@osu.edu> <55AFCAFC.6010903@sunet.se> <55B00B0C.60005@um.es> <1C7B22EA-86BF-4161-9432-086144964E98@osu.edu> In-Reply-To: <1C7B22EA-86BF-4161-9432-086144964E98@osu.edu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6 X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default) X-Canit-Stats-ID: 09OTHjoDo - 908159e4ce18 - 20150723 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=; helo=smtp1.sunet.se; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201 Archived-At: Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2015 07:22:17 -0000 On 2015-07-23 00:26, Cantor, Scott wrote: > On 7/22/15, 5:28 PM, "abfab on behalf of Alejandro Pérez Méndez" wrote: > > > >> in addition to add the new elements to the RADIUSIDPDescriptor and >> RADIUSRPDescriptor subtypes to include the naming information, we can >> keep the RADIUSIDPService and RADIUSRPService elements that I already >> defined (of type EndpointType, with minOccurs="0"), as a provision for >> the future use of locators/endpoints. We don't need to specify the >> specific URI format yet. Am I correct? > > I think so. > yep >> I have an additional question though. Leif mentioned that the URI format >> of the Locator attribute will be determined by the value of the Binding >> attribute, which is true. But, since in this document and section we are >> specifically defining the "urn:ietf:params:abfab:bindings:radius" >> Binding, shouldn't it be fixed to that value? > > No, you wouldn't constrain the Binding even if you were defining the whole thing now, that would preclude extensibility later. > exactly > There's no need to, any Binding value somebody doesn't understand is just ignored. > yep > -- Scott > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab > From nobody Tue Jul 28 02:22:33 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62D7F1A8826 for ; Tue, 28 Jul 2015 02:22:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.412 X-Spam-Level: X-Spam-Status: No, score=-1.412 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qsopFv7mZhz for ; Tue, 28 Jul 2015 02:22:28 -0700 (PDT) Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id A82D01A8821 for ; Tue, 28 Jul 2015 02:22:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 4F5A42520 for ; Tue, 28 Jul 2015 11:22:26 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon23.um.es Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id heb8L4FCFUsF for ; Tue, 28 Jul 2015 11:22:26 +0200 (CEST) Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 1E36B251E for ; Tue, 28 Jul 2015 11:22:25 +0200 (CEST) To: "abfab@ietf.org" From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55B749D0.7070501@um.es> Date: Tue, 28 Jul 2015 11:22:24 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: [abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 09:22:31 -0000 Dear all, at the end of this email you might find an updated text for sections "4.3.3 Mapping of AAA names in SAML metadata" and "4.3.4 Example of SAML metadata including AAA names" of our draft-ietf-abfab-aaa-saml, which I believe contains the decisions we agreed in the last ABFAB session in Prague, and in the subsequent discussion on the mailing list. This updated proposal defines new elements of type xs:string within the RADIUSIDPDescriptor and RADIUSRPDescriptor elements, to describe AAA naming. This should remove the need for a general RADIUS URI scheme. Note that the RADIUSIDPService and RADIUSRPService elements, of type EndpointType, have been preserved in prevision of a future use. Comments, suggestions, etc. are welcome. Regards, Alejandro 4.3.3. Mapping of AAA names in SAML metadata This section defines the extensions to the SAML metadata specification [OASIS.saml-metadata-2.0-os] that are required in order to represent AAA names associated to a particular element. In SAML metadata, each single entity may act in many different roles in the support of multiple profiles. This document defines two new roles: RADIUS IDP and RADIUS RP, requiring the declaration of two new subtypes of RoleDescriptorType: RADIUSIDPDescriptor and RADIUSRPDescriptor. These subtypes define the additional elements required to represent AAA names for IDP and RP entities respectively. 4.3.3.1. The element extends RoleDescriptorType with elements common to IdPs that support RADIUS. Its RADIUSIDPDescriptorType complex type contains the following additional elements: [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS realm associated to this Entity, obtained from the realm part of RADIUS User-Name attribute. The following schema fragment defines the element and its RADIUSIDPDescriptorType complex type: Figure 3: RADIUSIDPDescriptor schema 4.3.3.2. The element extends RoleDescriptorType with elements common to RPs that support RADIUS. Its RADIUSRPDescriptorType complex type contains the following additional elements: [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS NAS- IP-Address attribute associated to this Entity. [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS NAS- Identifier attribute associated to this Entity. [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the GSS-EAP acceptor name associated to this Entity. The format for this name is described in section 3.1 of [RFC7055], while section 3.4 describes how that name is decomposed and transported using RADIUS attributes. The following schema fragment defines the element and its RADIUSRPDescriptorType complex type: Figure 4: RADIUSRPDescriptor schema 4.3.4. Example of SAML metadata including AAA names The following figures illustrate an example of metadata including AAA names for and IDP and a RP respectively. The IDP's SAML name is "https://IdentityProvider.com/", whereas its RADIUS realm is "idp.com". The RP's SAML name is "https://RelyingParty.com/SAML", being its GSS-EAP acceptor name "nfs/fileserver.rp.com@RP.COM". idp.com Figure 5: Metadata for the IDP nfs/fileserver.rp.com@RP.COM Figure 6: Metadata for the RP From nobody Tue Jul 28 07:11:56 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AD11A916A for ; Tue, 28 Jul 2015 07:11:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.289 X-Spam-Level: X-Spam-Status: No, score=0.289 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsYsgTxA9I3k for ; Tue, 28 Jul 2015 07:11:54 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 114A01A916F for ; Tue, 28 Jul 2015 07:10:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 8302B20768; Tue, 28 Jul 2015 10:10:01 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45GRb4wfJFvL; Tue, 28 Jul 2015 10:10:01 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-50-136-30-120.hsd1.ma.comcast.net [50.136.30.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 28 Jul 2015 10:10:01 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DBDDD87E72; Tue, 28 Jul 2015 10:10:35 -0400 (EDT) From: Sam Hartman To: Alejandro =?utf-8?B?UMOpcmV6IE3DqW5kZXo=?= References: <55B749D0.7070501@um.es> Date: Tue, 28 Jul 2015 10:10:35 -0400 In-Reply-To: <55B749D0.7070501@um.es> ("Alejandro =?utf-8?Q?P=C3=A9rez_M?= =?utf-8?Q?=C3=A9ndez=22's?= message of "Tue, 28 Jul 2015 11:22:24 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 14:11:55 -0000 This looks good to me. I'd appreciate it is you'd run this by Alan Dekok to make sure we've got the right RADIUS attributes to use. Obviously we'll also want to run by SSTC and Scott. However, I think this may be our answer. thanks for the great work. --Sam From nobody Wed Jul 29 03:23:48 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACED61A1A33 for ; Wed, 29 Jul 2015 03:23:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXx2KisnIhgS for ; Wed, 29 Jul 2015 03:23:45 -0700 (PDT) Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id A1F921A0636 for ; Wed, 29 Jul 2015 03:23:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 5E8DA20D0; Wed, 29 Jul 2015 12:23:43 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon23.um.es Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JQ9POU3gJFhd; Wed, 29 Jul 2015 12:23:43 +0200 (CEST) Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 8957124AE; Wed, 29 Jul 2015 12:23:41 +0200 (CEST) To: Sam Hartman References: <55B749D0.7070501@um.es> From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= Message-ID: <55B8A9AB.50806@um.es> Date: Wed, 29 Jul 2015 12:23:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Cc: "abfab@ietf.org" Subject: Re: [abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 10:23:47 -0000 Hi Sam, I agree. I will check with Alan and Scott, so we have green light from them. Regards, Alejandro El 28/07/15 a las 16:10, Sam Hartman escribió: > This looks good to me. > I'd appreciate it is you'd run this by Alan Dekok to make sure we've got > the right RADIUS attributes to use. > Obviously we'll also want to run by SSTC and Scott. > However, I think this may be our answer. > > thanks for the great work. > > --Sam From nobody Wed Jul 29 18:29:22 2015 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948C51A92AF for ; Wed, 29 Jul 2015 18:29:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.2 X-Spam-Level: X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zINZj_xX6wu6 for ; Wed, 29 Jul 2015 18:29:19 -0700 (PDT) Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65A481A916E for ; Wed, 29 Jul 2015 18:29:19 -0700 (PDT) Received: from hebrews (ip-64-134-132-68.public.wayport.net [64.134.132.68]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id A3B3138EE8; Wed, 29 Jul 2015 18:29:18 -0700 (PDT) From: "Jim Schaad" To: "'Sam Hartman'" , =?UTF-8?Q?'Alejandro_P=C3=A9rez_M=C3=A9ndez'?= References: <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu> <1FA8CCED-221E-4A88-B525-BF46FAA53A3F@mnt.se> <55AFC0E3.8030500@um.es> In-Reply-To: Date: Wed, 29 Jul 2015 18:29:42 -0700 Message-ID: <002a01d0ca67$360da310$a228e930$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Content-Language: en-us Thread-Index: AQHabii3SGVY0kDK4DpMABVxz465QAID/2LRAXTCTNQCfmwEyQKSxEj8AWDcZz0B8LdfiAHMo3CpAgeBmsQCKw+5uwG02oVNAYfmo9GdNygowA== Archived-At: Cc: abfab@ietf.org Subject: Re: [abfab] Direction Forward for aaa-saml X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2015 01:29:20 -0000 > -----Original Message----- > From: abfab [mailto:abfab-bounces@ietf.org] On Behalf Of Sam Hartman > Sent: Wednesday, July 22, 2015 9:15 AM > To: Alejandro P=C3=A9rez M=C3=A9ndez > Cc: abfab@ietf.org > Subject: Re: [abfab] Direction Forward for aaa-saml >=20 > >>>>> "Alejandro" =3D=3D Alejandro P=C3=A9rez M=C3=A9ndez = writes: >=20 > Alejandro> I might be mistaken, but wasn't that what we wanted to > Alejandro> avoid in the first place when we decided not to use the > Alejandro> RADIUS URI scheme from my original proposal? I guess > Alejandro> having an endpoint for radsec will require to define = how > Alejandro> the "Location" values will look like, and they should = be > Alejandro> in a URI format as well. >=20 > Standardizing a URI that /looked like > radsec://host:port would be *lots* easier than the URI you proposed. > However, yes I believe even that's work I don't think belongs in ABFAB = or aaa- > saml. How much of this is to a large extent done with the DNS lookup draft = that just got out of the RADEXT working group? >=20 > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab