Hi Jim, > I will state upfront that I know less about diameter than I do about > Radius > so the questions I have are to be taken with that grain of salt. > > 1. Is it possible to include a more general SAML query than just an > authorization request in a DER message? Specifically, I would like to > be > able to query for a set of attributes about the entity that was > authorized > as oppose to get the fact they are authorized.
Yes, this is possible. Some problems we are dealing with in RADIUS, such as the fragmentation issue, does not exist in Diameter due to the TCP transport. > > 2. Does Diameter give any way of sending the keys around that are to > be > used for doing the xml encryption operation? I understand that > diameter is > more point-to-point than RADIUS but I do not know that to be a fact. > Does > this mean that there is more likely to have end-to-end signing and > encryption capabilities present? Diameter also exchanges keys in the same manner as RADIUS does. This is, for example, used for the Diameter EAP application. These keys are, however, secured only in a hop-by-hop fashion (and not end-to-end; the ends are Diameter client and Diameter server). Currently, there is no standard for e2e AVP encryption in Diameter natively although there are discussions ongoing to do some work in the DIME working group. Two relevant contributions for that matter are: http://datatracker.ietf.org/doc/draft-korhonen-dime-e2e-security/ http://datatracker.ietf.org/doc/draft-zorn-dime-n2n-sec-lite/ (Note that the scope of the two drafts is a bit different.) > > 3. Is there a concept of proxies that sit on boundaries that could > modify > the SAML constructs to deal with mapping of attributes? There are proxies in Diameter but what they specifically do with certain AVPs depends very much on the application. The document I have submitted describes such an application but does not describe such operation. Ciao Hannes > > Jim > > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
