Re: Federated Authentication Beyond The Web: Problem Statement and Requirements

[Klaas Wierenga <klaas@wierenga.net>]

On 7/6/10 11:15 AM, Hannes Tschofenig wrote:

Hi Hannes,

> at the next IETF meeting we are going to have a BOF about "Federated Authentication Beyond The Web". In case you have not noticed the work relates to RADIUS and Diameter.
>
> I wrote this very short problem statement document to explain the purpose of the BOF:
> http://www.ietf.org/internet-drafts/draft-tschofenig-moonshot-ps-00.txt
>
> Let me know if you find the description useful. Feedback about the BOF topic would also be appreciated.

I find the description useful, however I would like to challenge the 
MUST for RADIUS and/or Diamter. There are a number of Federated 
Authentication for applications access protocols out there, SAML, OpenID 
and others. RADIUS and Diamter are typically associated with network 
access. And while I do see the attractiveness of marrying the two (and 
thus leveraging existing trust fabrics), I wonder why you want to 
restrict a priori to just those. As an example 
draft-cantor-ietf-sasl-saml-ec-00.txt, draft-lear-ietf-sasl-openid-00, 
and draft-wierenga-ietf-sasl-saml-00 specify the use of federated 
authentication in a SASL context. And services like eduroam are an 
example of the use of just RADIUS to implement federated authentication 
for non-web applications.
I do understand that it is not possible nor desirable to take on 
everything, but let's at least have this scoping discussion in the BoF.

Klaas

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>