ABFAB Notes IETF93 =========== * UI Considerations + 3-minute summary + Document has been revved based on feedback + More comments forthcoming + Anticipate getting it finished this week - Leif hopes for WGLC by this Friday - And writeup stage before September * AAA-SAML + Main issue: mapping between SAML names and AAA names - Proposal went out yesterday + Other relevant issues - Include a nomenclature table (done) - Change the name of "SAML Message Attribute" to "SAML Protocol" - Q: Are domain-only NAI representations allowed in the Network Access Identifier Name Identifier Format? - A1: NAI allows that - A2: If we don't allow that, we'd need another convention for anonymous naming, so might as well use the one that exists - Q: Should section 6.1 Confirmation Method identifiers also refer to the ones in section 8.1? > A: Jim got an answer from Scott, then forgot it + Proposal for wrapping SAML in RADIUS data + Proposal to name an AAA identity using a URI - Sam didn't like that. - Go through an example RP metadata + Sam at mike: Thanks to Alejandro for moving this forward - Registering a RADIUS URI? Might be difficult. - Want to discuss the metadata structure - if the registering were easy, would this be what we want? > Leif: This looks pretty close to what he would like > Leif: Do we need a role descriptor for this? Use the one that already exists, but does it need a different binding? - Trying to register will be a lot of work > Especially for a URI scheme without hostname or port or such > We'll have to talk to APPS and RADExt more than we want to > Q: Could we add extra attributes? o Want to specify a placeholder URI for now, and replace it in the future if we need. o The endpoint type has a required binding location; response location is optional; local namespace attributes can be added o Propose to define a URN that indicates that location is context-dependant o Define a location that is "NO" o Attributes for NAI, NSID, GSS Name o This gets us out of defining a new URI o This also allows the use of a location URI, if someone comes up with it eventually. o Maybe put extensions on the RoleDescriptor types. > If RoleDescriptor doesn't need an endpoint, why don't we just get rid of the URN and stick it in the RoleDescriptor? o Leif: Yeah, they don't need endpoints o Alejandro thinks that he knows how to move forward on that o Sam is in favor o Jim Shaad: So, basically we're splitting the name into other pieces? o Leif: We're much more worried about binding the name to a key o Leif: We're going to have to do cross-review with SSTC / OASIS > Who will take this to the SSTC / OASIS? * Extra scheduled work + Stefan Paetow's presentation - SSH as a use case - Use ABFAB to do domain transitions - Log in to one system, then use that system to access further systems - Like SSH agent forwarding or XXXX from OAUTH - Cheznet did a proof of concept of getting an EAP-TTLS token - Interesting question: Can we get enough people to do the work? > Need more than JISC and Painless Security people to get enough review > ... and implementation! * Where to go from here + Credential delegation + Ephemeral keying + Do we recharter with a couple of extension proposals? > Does Stephen want to get rid of us desperately? > Well, not desperately... > Finish the current set of documents first > Want to be finished by Yokohama > Will people be at Yokohama? Or Buenos Aires? > Maybe have an interim or virtual interim? > Another option is to close the WG and have AD-sponsored documents for the remainder + Consensus: Finish what we have, then have an interim meeting * Open mike: + GSSWeb > A chrome and firefox extension coupled with an apache module to do GSS-EAP authentication + Launch of the academic service in the UK > Corresponding GEANT project to do the same, turn it into a global service