Thanks to both you and Gabriel for response.
> -----Original Message----- > From: Josh Howlett [mailto:[email protected]] > Sent: Monday, February 20, 2012 8:29 AM > To: Jim Schaad; [email protected] > Subject: Re: [abfab] Dual authentication > > > > >Those that exist in the ether for the Plasma project have suddenly > >decided that they would like to see a new capability that I am not sure > >is doable in the ABFAB space. Or rather I think it is partly doable > >but not complete. > > I think that is an accurate summary. > > >They have decided that in some circumstances they want to validate and > >get information about both the user and the computer that is being used > >by the client. It is relatively easy to do the authentication portion > >using the TTLS EAP method if both the client and the server know that > >it needs to be done. However, I do not know of any way to do the > following: > > > >1. Have the RP tell the IdP that it wants to have both the client > >machine and the client user authenticated. > > Abfab certainly doesn't have those semantics. I can't recall if NEA does. > I would be surprised if it did, but I can't imagine it would be difficult to add > (it's probably just a AAA-bound flag?). Except for the question of how to frame the SAML query, I image doing the SAML query might be sufficient to tell the IdP that a NEA assessment is desired. The question would be one of should there be two SAML queries or one. If you have two, then how do you distinguish between the client query and the machine query. If you have one, then are there any attributes which might apply to both a user and a machine? > > >2. Allow the RP to send a SAML query to the IdP to get attributes of > >the client machine > > You could use either a SOAP-bound or AAA-bound SAML query. > > >They also want to be able to get access to a NIA type assessment of the > >client machine, but I am doing my best to ignore that for the moment. > >I don't have enough knowledge of NIA to even make a guess if this is a > >doable operation. > > I can't see a reason why NEA couldn't be used with Abfab today. > > You might want to look at the Federated TNC spec; this only addresses your > use case for the web-bound case, but some of concepts might be useful. I > don't think it would be hard to port it to Abfab/NEA. I will have to look at the spec. I demonstrated my lack of knowledge about NEA by using the wrong TLA to begin with. I assume that if you run a TTLS that the NEA/EAP dialog would be able to occur inside the same tunnel as the user and machine authentication steps. I am not sure if that would add material to the key generation but that is probably not of any importance. > > Josh. > > > > JANET(UK) is a trading name of The JNT Association, a company limited by > guarantee which is registered in England under No. 2881024 and whose > Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, > Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
