> >Those that exist in the ether for the Plasma project have suddenly decided >that they would like to see a new capability that I am not sure is doable >in >the ABFAB space. Or rather I think it is partly doable but not complete.
I think that is an accurate summary. >They have decided that in some circumstances they want to validate and get >information about both the user and the computer that is being used by the >client. It is relatively easy to do the authentication portion using the >TTLS EAP method if both the client and the server know that it needs to be >done. However, I do not know of any way to do the following: > >1. Have the RP tell the IdP that it wants to have both the client machine >and the client user authenticated. Abfab certainly doesn't have those semantics. I can't recall if NEA does. I would be surprised if it did, but I can't imagine it would be difficult to add (it's probably just a AAA-bound flag?). >2. Allow the RP to send a SAML query to the IdP to get attributes of the >client machine You could use either a SOAP-bound or AAA-bound SAML query. >They also want to be able to get access to a NIA type assessment of the >client machine, but I am doing my best to ignore that for the moment. I >don't have enough knowledge of NIA to even make a guess if this is a >doable >operation. I can't see a reason why NEA couldn't be used with Abfab today. You might want to look at the Federated TNC spec; this only addresses your use case for the web-bound case, but some of concepts might be useful. I don't think it would be hard to port it to Abfab/NEA. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
