Thursday, July 24, 2014< ^ >
hartmans has set the subject to: ABFAB at IETF 89
Room Configuration
Room Occupants

[02:04:17] metricamerica joins the room
[02:24:57] metricamerica leaves the room
[12:58:21] jimsch1 joins the room
[12:58:56] hartmans joins the room
[12:59:56] Kathleen Moriarty joins the room
[13:00:06] Mark Donnelly joins the room
[13:01:36] hartmans has set the subject to: ABFAB at IETF 90
[13:07:27] Ben Kaduk joins the room
[13:12:14] <hartmans> Uh, this is not my understanding of the issue at all.  I thought the issue was when you wanted to use saml metadata  carried over AAA.
[13:12:45] <hartmans> and you wanted to avoid a cut&paste attack, you needed naming to name the expected endpoints.
[13:13:08] sftcd joins the room
[13:14:11] <jimsch1> do you want this relayed?
[13:14:56] <hartmans> In some form, I'm not really sure how to do it effectively, because my reaction is basically "wait! this is 100% a different problem than we've been discussing for the last year"
[13:15:08] <hartmans> do you understand the distinction well enough to disambiguate
[13:15:56] <hartmans> mic: how many of your 4096 RADIUs packet characters are you wasting?
[13:16:08] semery joins the room
[13:16:51] <jimsch1> Is that going to be more important than the 1024 attribute name length waste?
[13:17:08] <hartmans> yes much.  Because you get 1024-per-entity but 4096 total
[13:17:19] <hartmans> without radius fragmentation.
[13:17:29] <jimsch1> Yes good question
[13:17:40] <hartmans> In the case where you're not signing,  and where you're not using metadata for keying, the radius limit probably matters.
[13:20:07] <hartmans> mic: I believe this is solving the wrong problem.  I believe the problem we were trying to solve was how to authorize AAA entities in SAML metadata.
[13:20:09] <jimsch1> No they did not think about this apparently
[13:21:07] <hartmans> Jim, this is 100% Josh and I suspect no one else.  When I talked to people last week, no one knew what he was going to propose.
[13:21:15] joins the room
[13:21:53] sftcd joins the room
[13:22:05] sftcd leaves the room
[13:23:02] <hartmans> And Leif has also forgotten why this is an issue. sigh
[13:26:42] <jimsch1> If we are trying to do meta data naming, why does this need to be in this document?  Can that not be implementation specific?
[13:32:39] <hartmans> There's a channel binding issue.
[13:32:43] <hartmans> It's the one you brought up.
[13:32:55] <hartmans> It needs to be in this document if you want security.
[13:33:14] <jimsch1> But that is actual naming and not meta data.
[13:36:10] <hartmans> Well, you can solve the channel binding issue either with a metadata extension or with a message extension.
[13:36:20] <hartmans> That's what I meant by metadata
[13:45:20] hartmans leaves the room
[13:45:43] jimsch1 leaves the room
[13:49:04] Mark Donnelly leaves the room
[14:01:25] semery leaves the room
[14:01:40] Ben Kaduk leaves the room
[14:03:07] =JeffH joins the room
[14:03:16] <=JeffH> ok i got it working :-/
[14:03:35] metricamerica joins the room
[14:03:41] sftcd leaves the room
[14:04:52] <=JeffH>
[14:05:13] metricamerica leaves the room
[14:08:27] <=JeffH> on slide 5 of that chairs' slide deck: Basic & Digest Enhancements
[14:09:14] <=JeffH> are there really only 3 of us in here?
[14:10:53] <=JeffH> i take that as a 'yes' and so i don't think scribing here is worth it
[14:11:47] <Kathleen Moriarty> This should be in
[14:19:16] Ben Kaduk joins the room
[14:19:22] <=JeffH> thx
[14:19:24] =JeffH leaves the room
[14:22:18] leaves the room
[14:24:20] Kathleen Moriarty leaves the room
[14:42:39] Ben Kaduk leaves the room