"Rhys" == Rhys Smith<[email protected]> writes:Rhys> The use of ABFAB technologies in this case, via a mechanism Rhys> dubbed "federated cross-layer access" (see [ref]) would Rhys> enhance the user experience of using these applications on Rhys> mobile devices greatly. Federated cross-layer access would Rhys> make use of the initial mutual authentication between device Rhys> and network to enable subsequent authentication and Rhys> authorisation to happen in a seamless manner for the user of Rhys> that device authenticating to applications. I'm not fond of the architecture of re-using the authentication or at least am nervous about the architectural coupling involved. Why isn't it sufficient to simply re-use the credential? I.E. we cann't we perform a second mutual authentication.?
Well, I guess that the point is exactly that, to avoid that second mutual authentication by resuing cryptographic material generated during the network authentication. An average user would like to enter his PIN number only once, when the device starts, and then, he can access services seamlessly, without being prompted about the PIN number again. This is even more interesting if instead a PIN number the user has to write a passphrase (not thinking in a mobile phone now, but in a WPA-enterprise authentication, for example).
If you are thinking on providing SSO within all the services of the federation, as we do in our kerberized proposal, the intention is to incorporate the network access as another service, without worrying in which layer it works. As it is usually the first service accesed by the user in a session, it would be in charge to "bootstrapp" the SSO.
Regards, Alejandro
--Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
