El 20/02/12 23:47, Jim Schaad escribió: > Thanks to both you and Gabriel for response. > > > >> -----Original Message----- >> From: Josh Howlett [mailto:[email protected]] >> Sent: Monday, February 20, 2012 8:29 AM >> To: Jim Schaad; [email protected] >> Subject: Re: [abfab] Dual authentication >> >>> Those that exist in the ether for the Plasma project have suddenly >>> decided that they would like to see a new capability that I am not sure >>> is doable in the ABFAB space. Or rather I think it is partly doable >>> but not complete. >> I think that is an accurate summary. >> >>> They have decided that in some circumstances they want to validate and >>> get information about both the user and the computer that is being used >>> by the client. It is relatively easy to do the authentication portion >>> using the TTLS EAP method if both the client and the server know that >>> it needs to be done. However, I do not know of any way to do the >> following: >>> 1. Have the RP tell the IdP that it wants to have both the client >>> machine and the client user authenticated. >> Abfab certainly doesn't have those semantics. I can't recall if NEA does. >> I would be surprised if it did, but I can't imagine it would be difficult Although NEA specifications do not limit the entity starting the NEA exchange (client or server). EAP-TNC specifies the server starts the attributes exchange. > to add >> (it's probably just a AAA-bound flag?). > Except for the question of how to frame the SAML query, I image doing the > SAML query might be sufficient to tell the IdP that a NEA assessment is > desired. The question would be one of should there be two SAML queries or > one. If you have two, then how do you distinguish between the client query > and the machine query. If you have one, then are there any attributes which > might apply to both a user and a machine? I think SAML is not necessary to start the NEA negotiation, the use of EAP-TNC Start from the RP could be defined in some way. > >>> 2. Allow the RP to send a SAML query to the IdP to get attributes of >>> the client machine >> You could use either a SOAP-bound or AAA-bound SAML query. >> >>> They also want to be able to get access to a NIA type assessment of the >>> client machine, but I am doing my best to ignore that for the moment. >>> I don't have enough knowledge of NIA to even make a guess if this is a >>> doable operation. >> I can't see a reason why NEA couldn't be used with Abfab today. >> >> You might want to look at the Federated TNC spec; this only addresses your >> use case for the web-bound case, but some of concepts might be useful. I >> don't think it would be hard to port it to Abfab/NEA. > I will have to look at the spec. I demonstrated my lack of knowledge about > NEA by using the wrong TLA to begin with. I assume that if you run a TTLS > that the NEA/EAP dialog would be able to occur inside the same tunnel as the > user and machine authentication steps. sure
regards, Gabi. > I am not sure if that would add > material to the key generation but that is probably not of any importance. > >> Josh. >> >> >> >> JANET(UK) is a trading name of The JNT Association, a company limited by >> guarantee which is registered in England under No. 2881024 and whose >> Registered Office is at Lumen House, Library Avenue, Harwell Oxford, > Didcot, >> Oxfordshire. OX11 0SG > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel Lpez Milln Departamento de Ingeniera de la Informacin y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
