On Nov 2, 2011, at 9:20 AM, Alejandro Perez Mendez wrote: > >>>> "Rhys" == Rhys Smith<[email protected]> writes: >> >> Rhys> The use of ABFAB technologies in this case, via a mechanism >> Rhys> dubbed "federated cross-layer access" (see [ref]) would >> Rhys> enhance the user experience of using these applications on >> Rhys> mobile devices greatly. Federated cross-layer access would >> Rhys> make use of the initial mutual authentication between device >> Rhys> and network to enable subsequent authentication and >> Rhys> authorisation to happen in a seamless manner for the user of >> Rhys> that device authenticating to applications. >> >> >> I'm not fond of the architecture of re-using the authentication or at >> least am nervous about the architectural coupling involved. Why isn't >> it sufficient to simply re-use the credential? I.E. we cann't we perform >> a second mutual authentication.? > > Well, I guess that the point is exactly that, to avoid that second mutual > authentication by resuing cryptographic material generated during the network > authentication. An average user would like to enter his PIN number only once, > when the device starts, and then, he can access services seamlessly, without > being prompted about the PIN number again. This is even more interesting if > instead a PIN number the user has to write a passphrase (not thinking in a > mobile phone now, but in a WPA-enterprise authentication, for example). > > If you are thinking on providing SSO within all the services of the > federation, as we do in our kerberized proposal, the intention is to > incorporate the network access as another service, without worrying in which > layer it works. As it is usually the first service accesed by the user in a > session, it would be in charge to "bootstrapp" the SSO.
yes, I agree with that. Furthermore, I can imagine mobile operators offering brokered services (operator A strikes a deal with SaaS provider B) to their users, by definition the authentication process of the operator is the one you want to rely on. I could also imagine a step-up authentication sort of scenario, in which the network authentication acts as the first factor and another authentication method is used as additional authentication for services that have a demand for stronger authentication. Klaas P.S. I like Rhys' wording > > Regards, > Alejandro > >> >> --Sam >> _______________________________________________ >> abfab mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/abfab > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
