RADIUS was never developed for these types of things. Hence, it is not " ideally" suited for such scenarios.
This was one of the reasons for the development of Diameter. ciao Hannes From: [email protected] [mailto:[email protected]] On Behalf Of ext Alejandro Perez Mendez Sent: Thursday, November 03, 2011 5:32 PM To: Rhys Smith Cc: [email protected] Subject: Re: [abfab] I-D Action: draft-ietf-abfab-aaa-saml-02.txt El 03/11/11 16:21, Rhys Smith escribió: On 3 Nov 2011, at 15:09, Alejandro Perez Mendez wrote: On 11/3/11 10:51 AM, "Alejandro Perez Mendez"<[email protected]> wrote: What if the user has some attribute which is> 4K? For example a photo (for biometric comparation). I think that this situation should not be ignored, even when I can agree it will not be the most usual. Sorry, I wasn't saying the assertion wouldn't be> 4K, I was saying the signature alone isn't that much bigger than a mediumish attribute unless you add the cert. I thought the> 4K thing was addressed by chunking it up. If not, you have a problem. That exactly the problem. Even splitting into 253-byte chucks, a RADIUS message cannot have more than 4K in total, including all the attributes. So, I think it would be required to find a solution for this, as it could happen, even without certificates and signatures. Could send a SAML artifact and then get the real, large, SAML assertion by resolving the artifact over http on the issuing IdP? You could, but then you would need to rely on a PKI for the trust (during http assertion retrieving). I thought that idea was already discarded in favor of AAA-based trust. Regards, Alejandro R. -- Dr Rhys Smith: Identity, Access, and Middleware Specialist Cardiff University & JANET(UK) email: [email protected] / [email protected] GPG: 0xDE2F024C
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
