I've been thinking about the mail I sent yesterday as well as some discussions within the architecture team. I've also been thinking about Josh's proposed requirement that we specify enough detail about technical trust establishment to get better interoperability than SAML.
We've been talking about the importance of proxy behavior throughout the process. Some of that will be local. For example how a proxy near the RP knows that a particular machine is allowed to claim a hostname is a local matter. However, there are significant elements that have real protocol impacts if we're going to have interoperability. first, all of this proxy behavior is inherently optional: today's proxies don't do it. So, as I discussed yesterday we need mechanisms for knowing what proxies have done and what they have not done. Second, when things are decomposed like the host check living in an organization and the realm check living closer to an IDP, then we need to explain how those checks fit together to meet our security guarantees. Also, it is quite obvious that intermediates have important roles to play. The value that federations bring to the ecosystem is managing and negotiatingpolicies and agreements. Some of that feeds into protocol requirements for exchanging what policies are in play, and for allowing the federation to filter (or provide filters) on the behavior of actors. Also, as Josh and I hope to explain in Prague, we believe that a new technical trust mechanism is required for some common ABFAB deployments. All this together suggests to me that we have a lot to think about in terms of the AAA fabric that makes these federations possible. There's a lot of discussion starting to filter into the architecture document. However, I'm now convinced that it goes beyond that. Protocol elements are required. I'm not ready with specific proposals at the moment. What I do think is important is creating some high-bandwidth discussions of the issue to get more than just Josh and I into the right mental space. This is a heads up that I'd like to have these sorts of discussions and a call for interest. --Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
