Abfab WG Minutes IETF 80 Prague, Czech Republic Abfab 1: 15.10-16.10 Monday March 28, 2011 Abfab 2: 09.00-11.30 Thursday March 31, 2011 Chairs: Klaas Wierenga Leif Johansson ---------------------------------------- abfab 1 (monday) ---------------------------------------- Note well Note taker established (Stefan Winter) Jabber scribe established (Jeffrey Hutzelman) agenda approved ABFAB Architecture draft (Eliot Lear) ------------------------------------------------- draft-lear-abfab-arch-02 Josh Howlett (Josh) at mic for privacy considerations: most people think of privacy is on "ethical level" Josh thinks along "keep RP/IdP out of prison" - privacy regulations exist User consent one vehicle for privacy - RPs need some attributes; but not others * user-centric paradigm - let the user disclose everything he wants * non-user-centric: third party releases, e.g. IdP technology needs to provide enough privacy support to satisfy regulations Sean Turner at mic: IESG review comments on security considerations, need to be spelt out in detail Sam Hartman (Sam): on coop with kitten: channel bindings in MS are implemented "kinda cool" - but is not possible with GSS. kitten and abfab work is required to to get similar functionality in (issue is: how to handle not being sure if the other end supports channel binding upfront) Leif: do we need to recharter if normative text sneaks into arch document? Sam suggests operational/implementation best-practice document. Individual submissions solicited. Eliot: text is small though; and informative text can have normative lingo. Hummed: in favor of approach (unanimous, overall low participation, to be confirmed on the list). Leif again solicited individual drafts; for later adoption by WG. ABFAB Use-Cases (Rhys Smith) -------------------------------------------- draft-abfab-usecases-00 Aaron Falk (BBN): Geni project uses federated identity for access to testbeds. Use case: access to networking resources. Aaron will read the draft to see how it fits in. Jim Schaad: plug for plasma BOF. plasma should be building on ABFAB. Use case: distribution of stuff over mail protocol; but need federated access to these. Show of hands: 2 readers of draft; needs more input from community. Leif encourages everybody to read! Presentation of Project Moonshot (Sam Hartman) ----------------------------------------------------------------- Abfab VM was tried out: proof of concept showed to work indeed Leif: doing UI work is in charter, work waiting to be done - will discuss in abfab2 Sam: SAML is being used differently than usual - leads to authorization question: need to request attributes on behalf of someone else. Sam: not ready for production use at all! Play with it only. ---------------------------------------- abfab 2 (thursday) ---------------------------------------- Note well Note taker established (Linus Nordberg) Jabber scribe established (Melinda Shore) agenda approved GSS-EAP (Sam Hartman) -------------------------------------------- - slide "name format": Jeffrey Hutzelman (jhutz): there's a bug in the name format - on anonymous: wellknown/ANONYMOUS is used, but sending empty ("") in RADIUS jhutz: make GSS look less like Kerberos Sam: minimizing implementation costs but this anonymous case probably stretches it Jhutz: worth examining to use empty but don't forget the anonymous flag Leif: charter doesn't mention Kerberos Lucy Lynch: abfab is not only about Moonshot. please avoid confusion. Jhutz: 1. the accessor might not know [acceptor?] due to multiple hops Leif: ask kitten to revisit anonymous for gss? sam: not yet. Jhutz: they might take a long time to come up with an answer better than what sam is saying here and what kerberos already has. Leif: moonshot does things that doesn't correspond to anything in the spec? Sam Hartman on the subject of name formats: We will do the following: 1. fix the abnf to note problems with "anonymous" using a slash when you don't have a host component 2. specify anon behavior. empty name is the best. 3. document realm anonymous name and the implications of it 4. dicusss i8n - slide "eap method req" - should we say "always eap channel binding" or only when mutual authn is being done? no reply. sam: please have opinion on list. sam: should i explain it here or? for reasons of time constraints, no. - "proposed solution" - strong opinion on names? no response. - "requirement for MIC" - [RFC 3961 doesn't have an incremental hash -- implementer will have to store full state before being able to send it. client need memory to hold the complete conversation. large cookies might be another the effect.] Jim Schaad: what if i want to carry on a conversation _before_ i've been at an idp? sam: PLASMA case, the blob shouldn't be a part of the request, perhaps only a hash of the blob. Jim: layering problem. Jhutz: application like imap, before sasl gss server says mech support here, then some roundtrips, if imap + starttls and then you want to autn again but you'd have to renegotiate. Leif: PLASMA is an important use case but we need to finish this. please repeat the three options. Sam on the options for MIC: - opt 1. integrity protect each token, f.ex. the flags token - opt 2. signon a hash function, EAP+<3961-enctype>+ - opt 3. use large tokens - opt 4. don't integrity protect large thingies (bad option!) Sam: the maximum complexity for opt 1 might be substantial Luke: opt 5. would be revise 3961 and couldn't we put this in GSS channel binding? Sam: need help from someone who understands RADIUS VSA's and 2. how do i register an entry with IANA - Hannes Tschofenig will help Sam with RADIUS VSA's and how to register with IANA RADIUS atttrib for SAML (Josh Howlett) -------------------------------------------- - PLASMA is going with either ws-trust or abfab Josh: jim, do do use SAML for your "PDP's"? Jim: this isn't relevant for conversation between client and service Leif: the IdP can combine them Scott Cantor: more than one assertion in a response Luke Howard: standard RADIUS AVP? Josh: yes. * Diameter attributes for SAML (Mark Jones) -------------------------------------------- - extending diameter EAP with new AVPs - DER: SAML-AuthnRequest AVP - DEV: SAML-AuthnRespnse AVP, SAML-Assertion AVP Josh: difference to radius is you define attributes for specific SAML attribs while we have a generic attrib. reason? Hannes: easier to read, no real semantic difference. Josh: makes sense. we would put it in a AAA binding document, glad for guidance from SAML ppl. scott: re SAML binding, we said only request/response because the binding wasn't supposed to be a protocol. Josh: if "we" took the same position, we're running out of RADIUS attr space (not considering extended attrib proposal). Sam: hop-by-hop trpt layer security? hannes: TLS and IP-sec. Scott: an analogy: in http we have explicit routing thanks to urls. Mark: a proxy should be able to pass along without understanding the payload] Josh: since SAML2 was std 2005 there has been only one new protocol defined Scott: new protocols are not a big deal] Leif (as individual): you will need attribute query Sam: think we should use a single AVP unless there are needs for more Mark: if we return EAP success... sam: in radius we don't have cirticial restrictions on success and if we need it, let's do it together for RADIUS and diameter. Leif calls for hums: 1. more or less in the right direction? 2. adopt as a wg docu? Sam: what if we want to say 1 attrib rather than 2, how do i hum on number 1? Leif: adoption means that change ctrl goes to the wg. Melinda Shore: is this a showstopper for anyone? no replies. Leif: do you want to decide "this" (one or several AVPs for diameter) before huming on adoption? result: no. Leif: humming on adoption. result: yes, wg should adopt. Action: confirm adoption of draft-jones-diameter-abfab as WG document as draft-ietf-abfab-diameter with Mark Jones and Hannes Tschofenig as document editors on list. KNP - Key Negotiaion Protocol (Josh Howlett) -------------------------------------------- Eliot Lear: flat files laying around? Josh: yes, and that's an administrative problem. Dave Crocker: how can TLS be not hop-by-hop? conclusion: _trust_ is no longer path-based [?]] Sam: the routing has similar properties as bgp, but unlike dns each hop may have policy and do filtering Sam: you shouldn't have to run your own introducer if you're too small Jim: is this really abfab? how do the trusted router fit in the charter? [josh: you _could_ have introducers w/o trust routers but it doesn't buy you much.] Leif: this is an invited presentation and not a question of adoption. this is partially a problem statement document and i suggest splitting the document in two parts Mark: s/radius/radius or diameter/g. Josh: ack. Mark: introducer == broker? Josh: yes. Eliot: useful and interesting presentation, we need ways to deal with larger and higher numbers of federations. NFSv4 (Andy Adamson) -------------------------------------------- - Won't happen since Andy isn't in the room and also we're running out of time. Milestones update -------------------------------------------- Leif: - emsk will possibly been removed since not used - eap applicabililty is getting done by Joe Salowey and Stefan Winter - lacking UI usability doc still. question: anyone done anything re this? Rhys: Janet has some work on UI going on within Moonshot and they will write an IETF document and Rhys will coedit it. Leif stares at Bob. Bob Morgan: i can be persuaded to work with Rhys on this because of kantara ULX involvement. Leif: Will the documents slip? silence means no. result: silence. Rhys: august might be tough. Josh: no, that's fine. [:-)] * OID registry (Rhys Smith) -------------------------------------------- - got an oid from iana: 1.3.6.1.5.5.15 Jhutz: why reimplement? Sam: backwards incompat changes. making gss-eap in the next version. - Rhys asks implementers to let him know when OID's under abfab arc are used. Closing ------- The chairs close the meeting