Hi Sam, El 06/07/11 22:21, Sam Hartman escribió: > > It plays the role of SAML metadata in our system. ok, although it runs federation routing and topology information, and forwards eap authentications. It plays a lot of roles :)
> However it is not required that every institution needs to deploy a trust > router. > ok > Gabriel> - Does the term Trust Path refer to the AAA path/TRs path/mixed? > > Your AAA message goes from something near the RP to the radsec server > near or at the IDP assuming you're actually using RADSEC. > However other realms help set up the technical and policy trust required > to send that message. I can understand the AAA path in this case, but l think this mixed path is very complicated. If every realm implements this functionality like a AAA server it would be more interesting. > > Gabriel> Section 4: > > Gabriel> - The list of security properties required by the Trust > Routers > Gabriel> would help to a better understanding of the protocol :) > > * hop-by-hop integrity > * peer entity authentication > * for some deployments confidentiality The last comments clarifies this point > > OK, let's take the example from Margaret's draft. > I'm going to try and enumerate all the traffic . > > 1) Trust routers exchange and flood routes. I don't know what the order > of messages of this exchange is, but I'm sure people familiar with > routing protocols do. This is amortized across all uses of the trust > infrastructure. Messages are generated when routes change. This is an important point that may required another important number of exchanges, in order to build and exchange the federation topology (I'm thinking here in something like eduroam) and to query that path by the RP (although I suppose here only 2 messages are needed) > > Have you analysed how this process (I count 18 messages for 4 realms without routing and attribute request exchanges) could affect specific services like SIP? Thanks a lot for your comments Sam, I think this explanation (completed with the routing part) should appear in the next version. Best regards, Gabi. -- ---------------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
