[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
I know, but AAA and Liberty Alliance perform different functions and
probably have different performance requirements.
But you are probably right. My developers will have to cave one day.
The question is, will they kill me first or will I manage to survive.
> -----Original Message-----
> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
> Sent: Thursday, July 27, 2006 4:08 AM
> To: Avi Lior
> Cc: Glen Zorn (gwz); David Harrington; Eliot Lear;
> isms@ietf.org; radiusext@ops.ietf.org
> Subject: Re: Follow up on Authorize Only issue (was RE:
> [Isms] ISMS session
>
> Hi Avi,
>
> your developers might need to get used to XML sooner or later
> anyway based on the excitement for Liberty Alliance nowadays.
> The functionality of the asserting party in SAML is very
> close to what a AA(A) does today.
>
> Ciao
> Hannes
>
> Avi Lior wrote:
> > Hi Hannes,
> >
> > When I wrote the word "assertion" I was thinking a SAML assertion.
> >
> > A word of caution though, everytime I mention XML to my AAA
> developers
> > they conspire to kill me.
> >
> > XML, parsing strings etc are performance killers for a AAA server.
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
> >>Sent: Wednesday, July 26, 2006 4:55 AM
> >>To: Avi Lior
> >>Cc: Glen Zorn (gwz); David Harrington; Eliot Lear; isms@ietf.org;
> >>radiusext@ops.ietf.org
> >>Subject: Re: Follow up on Authorize Only issue (was RE:
> >>[Isms] ISMS session
> >>
> >>Hi Avi,
> >>
> >>I like the idea of using some information to tie the authentication
> >>and the authorization process/exchange together. In fact we
> discussed
> >>this at the last IETF meeting when David gave his presentation.
> >>
> >>I suggested to use an existing mechanism to accomplish this
> binding,
> >>namely SAML. I can elaborate a bit more about the details
> if someone
> >>case about it.
> >>
> >>Ciao
> >>Hannes
> >>
> >>Avi Lior wrote:
> >>
> >>>I proably did not make myself clear....or maybe I did and I
> >>
> >>am missing
> >>
> >>>something.
> >>>
> >>>When the NAS sends the Access-Request Auth-Only message I
> >>
> >>agree that
> >>
> >>>it MUST contain Message-Authenticator(80) etc...
> >>>
> >>>What I meant is that it would be nice if there was a token or an
> >>>assertion that came from the place that did authenticate
> >>
> >>the user to
> >>
> >>>indicate in a cryptographic way that this user was authenticated.
> >>>
> >>>The AAA server can use that token to verify that the user was
> >>>authenticated by an entity that it trusts. Like a
> kerberose ticket.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: Glen Zorn (gwz) [mailto:gwz@cisco.com]
> >>>>Sent: Tuesday, July 25, 2006 3:47 PM
> >>>>To: Avi Lior; David Harrington; Eliot Lear
> >>>>Cc: isms@ietf.org; radiusext@ops.ietf.org
> >>>>Subject: RE: Follow up on Authorize Only issue (was RE:
> >>>>[Isms] ISMS session
> >>>>
> >>>>Avi Lior <mailto:avi@bridgewatersystems.com> supposedly scribbled:
> >>>>
> >>>>
> >>>>
> >>>>>Hi,
> >>>>>
> >>>>>If I was specifying how this is done:
> >>>>>
> >>>>>It would be nice if the AAA client could return some sort
> >>>>
> >>>>of token to
> >>>>
> >>>>
> >>>>>the AAA server to assert that the user has been
> >>
> >>authenticated by an
> >>
> >>>>>entity that it trusts. The token can be generated by the
> >>>>>Authentication Server.
> >>>>>
> >>>>>We need this assertion to make sure we deliver the
> correct profile.
> >>>>
> >>>>I disagree: the fact that the message is being sent by an
> >>>>authenticated client at all says that the user has been
> >>
> >>authenticated
> >>
> >>>>elsewhere. Note that safety requires the inclusion of a
> >>
> >>MAC (either
> >>
> >>>>the Message-Authenticator or preferably the
> >>>>Message-Authentication-Code Attribute) in the Access-Request.
> >>>>
> >>>>Hope this helps,
> >>>>
> >>>>~gwz
> >>>>
> >>>>Why is it that most of the world's problems can't be solved
> >>
> >>by simply
> >>
> >>>> listening to John Coltrane? -- Henry Gabriel
> >>>>
> >>>
> >>>
> >>>--
> >>>to unsubscribe send a message to
> >>
> >>radiusext-request@ops.ietf.org with
> >>
> >>>the word 'unsubscribe' in a single line as the message text body.
> >>>archive: <http://psg.com/lists/radiusext/>
> >>>
> >>>
> >>
> >
> > --
> > to unsubscribe send a message to
> radiusext-request@ops.ietf.org with
> > the word 'unsubscribe' in a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>
> >
> >
>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>