ABFAB - Lief Johansson presiding & Klaas W. 1. Agenda bashing and Note Well (5 min) 2. abfab overview and introduction for newbees (15min) Klaas gave this overview of history of the abfab effort and its origin in the moonshot project. 3. Document status and discussions (45min) 3.4 draft-lear-abfab-architecture-00.txt Hannes Tschhofenig presenting on this draft and the architecture overall Leif: there's two draft specs in the OASIS SSTC/SAML technical committee that accompany the I-Ds in the IETF abfab wg. Stephen Farrel (mic): are you going to eval priv properties of all the EAP mechs ? Hannes: IAB has written on priv at high level recently; in terms of EAP mechs, user confidentiality is an aspect here (eg one can't tell its me auth'g); ..... Leif: its in our charter that techs we develop need to have "sufficient" priv properties, but not every spec needs to have a priv considerations section Farrel: if there's not this info for eap methods, then how can u meet that charter goal? Hannes: IAB doc, while still at early state, they can help us to write the stuff we need to.... Sam: Propose that we evalue a set of EAP methods for privacy properties The authoris will update this document to reflect discussion on the list before asking for WG adoption. 3.1 draft-ietf-abfab-gss-eap Sam Hartman presenting There was a discussion at the Mic about OIDs vs GUIDs in GSS-API that the chairs declared out-of-scope for abfab. Sam: we need a mechanism OID, this should be allocated but not "too late in the process". Sean Turner (AD): no preference for where the OID comes from. Sam asked the room for opinion on the creation of an IANA registry mapping SASL names, mech oids and GUIDs (for Microsoft Negoex) AI: Chairs and AD (Sean) to figure out where to allocate an OID. Sam: should CB == null mean that CB is turned off - this has implications for kerberos and other existing protocols. Larry Zhu: CB should be optional Sam: Yes CB should be optional to deploy but mandatory to implement Larry: that implies a lot of complexity Sam: yes and GS2 has facilities to deal with some of that Sam presented the naming proposal and explained the complexity involved. Note that there may need to be work done in GSS-API to support anonymous naming. Sam presented error handling which may also require work in kitten wg. Sam presented requirements for extension tokens which will be used for CB in abfab. Sam presented requirement for a reqistry for RFC4121 tokens. This is not abfab specific but it might aswell get done in abfab as in krb-wg. Sean (AD): it doesn't matter where it gets done slide 15: DISCUSSION Sam finished up this presentation with a discussion on SAML vs AAA attributes. Hannes: AAA provides full freedom, so have seen xml-encoded policies sent around "in AAA" Leif: largely a deployment issue - AAA and SAML will often coexist. Sam: people will do more complex things than we were anticipating > 3.3 draft-ietf-abfab-aaa-saml-00 Josh Howlett presenting Discussion on the tradeoffs of using Diameter vs Radius given xporting (large) SAML blobs Mark Jones: reading the doc, it seems diameter is penalized cuz doing more frag than normally req'd Hannes: AAA work in past has leveraged both diameter and radius, diam vs radius": major differences Sam: We need to be our own diameter application but an attr we define might be useful for diameter stuff in general eg voip; Sam: Diameter is in charter, but does not need to be in this doc Hannes and Sam discussed radius proxies for a while AI: Mark Jones and HT have volunteered to do the Diameter-based spec Josh: do we use "naked" SAML assersions or full SAML request/response objects. Leif (as individual): we may need to have the ability to do SAML attribute queries over abfab Sam: we can use that over radsec Hannes: need new radius query for that... Luke (in jabber): depends on if we want to do it at the time of authentication or not Chairs cut the discussion to save time. Josh continues with presentation on the format of the AAA attribute. Luke: why do we need a separate AAA field for the object type Josh: the AAA server may need to do inspection wo knowing how to parse XML Luke: my preference is for separate RADIUS attributes, unless there's some reason that we're running out Luke: I note that JANET has a namespace for RADIUS attribute types that is probably largely unassigned > 4. Technical discussion (25min) Sam: krb wg folks are thinking of adding x-realm key estab to their charter -- folks here shuld follow that Hannes: are there plans for doing interop say at nxt IETF meeting? Chairs explains the differenc between moonshot (the opensource project) and abfab (the IETF wg). Sam: moonshot project is expecting to do an interop event / testing during 2CQ2011 Hannes: I could bring an AAA server to a joint interop Leif: if folks want to have an interop event co-loocated with IETF mtg, need to talk with chairs Sam: volunteers to coord such event @ prague IETF meeting Chairs declared meeting done