Re: [Isms] Multi-namespace authentication

To: Wes Hardaker <wjhns1 at hardakers.net>, "David B. Nelson" <dnelson at elbrysnetworks.com>
Subject: Re: [Isms] Multi-namespace authentication
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Date: Wed, 23 Jul 2008 22:33:26 -0400
Cc: isms at ietf.org, jhutz at cmu.edu
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <200807232224.m6NMOTES015809@toasties.srv.cs.cmu.edu>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <006401c8dc30$bac0af30$51f780de@china.huawei.com> <sd63rmy615.fsf@wes.hardakers.net> <4F599A473EF04ECD99F4C358B291245E@xpsuperdvd2> <sdskuqwoli.fsf@wes.hardakers.net> <200807040057.m640v5DL015394@grapenut.srv.cs.cmu.edu> <ED7BF45E5D16B2A3ECD2E782@atlantis.pc.cs.cmu.edu> <021501c8ecc9$7ace2110$6401a8c0@NEWTON603> <sd63qw7h72.fsf@wes.hardakers.net> <002601c8ecea$f1b9fee0$0600a8c0@china.huawei.com> <48877BFF.2000602@elbrysnetworks.com> <200807232224.m6NMOTES015809@toasties.srv.cs.cmu.edu>
Sender: isms-bounces at ietf.org

DBN> However, if an operator is using *both* SSH and TLS, for example,

with

DBN> disjoint user databases having disjoint namespaces, the only ways to
DBN> fix that issue "in the transport" would be to either synchronize the
DBN> namespaces (i.e. either de jure or de facto single-sign on) or to
DBN> incorporate some form of administrative "realm" element in the user
DBN> name.  An example of such a construct may be found in the Network
DBN> Access identifier [RFC 4282].

And a solution like that makes sense.  If every secure TM transport had
to hand up a securityName from below formatted something like
"user at TMTOKEN" where TMTOKEN was SSH, DTLS, TLS or whatever was defined
by the TM transport then it would solve the uniqueness problem in a very
very easy way.


This is pretty much exactly what I proposed, but with a different syntax.
I don't have a strong reason to prefer one syntax over the other, though I
think it is slightly more intuitive not to use '@' to introduce things
other than domain names.

-- Jeff
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: Jeffrey Hutzelman
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David Harrington
- [Isms] Multi-namespace authentication (was Re: pre11 comments)
  - From: David B. Nelson

Prev by Date: Re: [Isms] Multi-namespace authentication
Next by Date: Re: [Isms] pre11 comments
Previous by thread: Re: [Isms] Multi-namespace authentication
Next by thread: Re: [Isms] pre11 comments
Index(es):
- Date
- Thread

Re: [Isms] Multi-namespace authentication

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.