>> >1. Have the RP tell the IdP that it wants to have both the client >> >machine and the client user authenticated. >> >> Abfab certainly doesn't have those semantics. I can't recall if NEA >>does. >> I would be surprised if it did, but I can't imagine it would be >>difficult >to add >> (it's probably just a AAA-bound flag?). > >Except for the question of how to frame the SAML query, I image doing the >SAML query might be sufficient to tell the IdP that a NEA assessment is >desired.
That's another approach. > The question would be one of should there be two SAML queries or >one. If you have two, then how do you distinguish between the client >query >and the machine query. If you have one, then are there any attributes >which >might apply to both a user and a machine? An assertion request can name at most one principal, and so this is most likely two queries, if you chose to have a model that considered the user and device to be distinct principals (and so naming them separately). On the other hand, it might be reasonable to consider the device to be an attribute of a principal. A lot depends on the detail of the use case. In any event, I don't think you're going to be particularly constrained by the capabilities of the existing technology. >> >> >2. Allow the RP to send a SAML query to the IdP to get attributes of >> >the client machine >> >> You could use either a SOAP-bound or AAA-bound SAML query. >> >> >They also want to be able to get access to a NIA type assessment of the >> >client machine, but I am doing my best to ignore that for the moment. >> >I don't have enough knowledge of NIA to even make a guess if this is a >> >doable operation. >> >> I can't see a reason why NEA couldn't be used with Abfab today. >> >> You might want to look at the Federated TNC spec; this only addresses >>your >> use case for the web-bound case, but some of concepts might be useful. I >> don't think it would be hard to port it to Abfab/NEA. > >I will have to look at the spec. I demonstrated my lack of knowledge >about >NEA by using the wrong TLA to begin with. I assume that if you run a TTLS >that the NEA/EAP dialog would be able to occur inside the same tunnel as >the >user and machine authentication steps. Correct. > I am not sure if that would add >material to the key generation It doesn't. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
