Re: [Dime] Comments about Webauth application

[Niklas Neumann <niklas.neumann at cs.uni-goettingen.de>]

Hey Lionel,

thank you for your feedback. WebAuth is actually using the AAR/AAA 
commands from RFC 4005 and just the corresponding AVPs from RFC 4740 
(i.e. SIP-Authenticate, SIP-Authorization, SIP-Authentication-Info). 
This includes the reuse of the particular AVP codes. However, WebAuth 
also has a number of small additions to RFC 4740 such as the requested 
URI or the remote user name/address which is why we don't want to just 
adopt RFC 4740.

I am not sure, that I understood you right about reusing the 
Application-ID. I don't think you are allowed to just implementing a 
small part of a Diameter application (i.e. just one request/answer pair) 
but sill announce the original Application-ID.


Best regards
  Niklas


lionel.morand at orange-ftgroup.com wrote:
> Hi Niklas,
>
> See below. 
>
> > -----Message d'origine-----
> > De : dime-bounces at ietf.org [mailto:dime-bounces at ietf.org] De 
> > la part de Niklas Neumann
> > Envoyé : lundi 24 août 2009 14:56
> > À : dime at ietf.org
> > Objet : [Dime] Comments about Webauth application
> >
> > Hello everybody,
> >
> > I would like to address the comments we received during the 
> > last IETF meeting regarding the Diameter Webauth application. 
> > If you have missed the presentation, the slides are available here: 
> > http://www.ietf.org/proceedings/75/slides/dime-8.pdf
> >
> >
> > * Diameter SIP application also includes HTTP digest authentication:
> > This is true and WebAuth is actually reusing the AVP 
> > specifications made in RFC 4740. I do not suppose the 
> > suggestion is that people should just implement 4740 if they 
> > just want to use HTTP authentication over Diameter so I do 
> > not see any problems with that.
>
> Maybe the question could be: does the use of the MAR/MAA command pair with the Application-id "Diameter SIP Application (6)" fulfil your requirements?
> If the answer is "yes", you don't have to create a new application. You can just specify that in the context of Web authentication, MAR/MAA are used for HTTP Digest authentication. If there is no modification to the command ABNF description nor new mandatory AVP to support for webauth, the application-id can be re-used as such. There is no need to implement the whole RFC 4740 "Diameter SIP application" if you want only to support the authentication part.
>
> Lionel
>
> > * Corresponding RADIUS specification (RFC 5090) is not 
> > adopted due to latency issues:
> > I cannot really comment if anybody uses RFC 5090 or not. 
> > However, RFC 5090 obsoletes RFC 4590 so there must have been 
> > at least some interest to put work into another revision of 
> > the original RFC.
> > Regarding the latency I see how this might be an issue if you 
> > do the Diameter authentication for every HTTP request. 
> > However, I think it is more realistic that HTTP servers will 
> > cache Diameter responses or even open some sort of session 
> > context which will only be initially authenticated.
> >
> >
> > I really appreciate any of your comments. I think that web 
> > environments can benefit from authentication and 
> > authorization standards to make life easier for site 
> > administrators and to benefit from existing Diameter 
> > deployments. If there is anything that would make the draft 
> > more adoptable please let us know.
> >
> >
> > Best regards
> >    Niklas
> >
> > --
> > Niklas Neumann - University of Goettingen, Institute of 
> > Computer Science http://user.informatik.uni-goettingen.de/~nneuman1/
> > Tel: +49 551 39-172053
> > _______________________________________________
> > DiME mailing list
> > DiME at ietf.org
> > https://www.ietf.org/mailman/listinfo/dime



--
Niklas Neumann - University of Goettingen, Institute of Computer Science
http://user.informatik.uni-goettingen.de/~nneuman1/
Tel: +49 551 39-172053