Re: [Dime] Comments about Webauth application

[<lionel.morand at orange-ftgroup.com>]

Hi Niklas,

See below. 

> -----Message d'origine-----
> De : dime-bounces at ietf.org [mailto:dime-bounces at ietf.org] De 
> la part de Niklas Neumann
> Envoyé : lundi 24 août 2009 14:56
> À : dime at ietf.org
> Objet : [Dime] Comments about Webauth application
> 
> Hello everybody,
> 
> I would like to address the comments we received during the 
> last IETF meeting regarding the Diameter Webauth application. 
> If you have missed the presentation, the slides are available here: 
> http://www.ietf.org/proceedings/75/slides/dime-8.pdf
> 
> 
> * Diameter SIP application also includes HTTP digest authentication:
> This is true and WebAuth is actually reusing the AVP 
> specifications made in RFC 4740. I do not suppose the 
> suggestion is that people should just implement 4740 if they 
> just want to use HTTP authentication over Diameter so I do 
> not see any problems with that.

Maybe the question could be: does the use of the MAR/MAA command pair with the Application-id "Diameter SIP Application (6)" fulfil your requirements?
If the answer is "yes", you don't have to create a new application. You can just specify that in the context of Web authentication, MAR/MAA are used for HTTP Digest authentication. If there is no modification to the command ABNF description nor new mandatory AVP to support for webauth, the application-id can be re-used as such. There is no need to implement the whole RFC 4740 "Diameter SIP application" if you want only to support the authentication part.

Lionel

> 
> * Corresponding RADIUS specification (RFC 5090) is not 
> adopted due to latency issues:
> I cannot really comment if anybody uses RFC 5090 or not. 
> However, RFC 5090 obsoletes RFC 4590 so there must have been 
> at least some interest to put work into another revision of 
> the original RFC.
> Regarding the latency I see how this might be an issue if you 
> do the Diameter authentication for every HTTP request. 
> However, I think it is more realistic that HTTP servers will 
> cache Diameter responses or even open some sort of session 
> context which will only be initially authenticated.
> 
> 
> I really appreciate any of your comments. I think that web 
> environments can benefit from authentication and 
> authorization standards to make life easier for site 
> administrators and to benefit from existing Diameter 
> deployments. If there is anything that would make the draft 
> more adoptable please let us know.
> 
> 
> Best regards
>    Niklas
> 
> --
> Niklas Neumann - University of Goettingen, Institute of 
> Computer Science http://user.informatik.uni-goettingen.de/~nneuman1/
> Tel: +49 551 39-172053
> _______________________________________________
> DiME mailing list
> DiME at ietf.org
> https://www.ietf.org/mailman/listinfo/dime
>