El 20/01/11 00:36, Jim Schaad escribió:
I am in favor of having some diagrams really early in the processes. I
think this really helps to get understanding setup early. But I tend to be
a very pictorial person.
I agree with Jim here, flow diagrams will help to understand the
architecture and to detect missing problems.
some other comments:
- pag. 6. - 5. [... ]At this stage, the RP will likely have no idea
who the principal
is.
You propose here to optionally send a SAML Attribute Query to the
idP/AA, but this query has to include the user's subject. How does it
match with the previous sentence?
You could also here request a SAML AuthnStatement that could be use
latter to request attributes by SOAP channels (if you decide to consider
this scenario)
- pag. 6 - 6. IdP informs the principal of which EAP method to use
[...]
In this case the RADIUS server plays the role of idP, but what
happens if the organization already have a running idP (i.e. Shibboleth)?
- pag. 7 - 9. What kind of checks is done here? could you provide
an example? I mean.
Are you checking if idP could issue an attribute
statement including user's attributes for SP?
An Attribute Release Policy?
- pag. 12. if you decide to apply abfab arch over eduroam you
could make use of trust-anchor and PKI services (eduGAIN) to assert
trust between organizations, but this option is not described in the draft.
- pag. 19. The text: "Host-based service names do not work ideally
when different instances
of a service are running on different ports. Also, these do not work
ideally when SRV record or other insecure referrals are used." is
not in-line with the rest of the section.
Best regards, Gabi.
--
----------------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: [email protected]
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
