> -----Original Message----- > From: Tschofenig, Hannes (NSN - FI/Espoo) > [mailto:[email protected]] > Sent: Thursday, March 15, 2012 12:11 AM > To: ext Jim Schaad; [email protected]; Hannes Tschofenig > Cc: [email protected] > Subject: RE: [abfab] draft-jones-diameter-abfab-00 question > > Hi Jim, > > > I will state upfront that I know less about diameter than I do about > > Radius so the questions I have are to be taken with that grain of > > salt. > > > > 1. Is it possible to include a more general SAML query than just an > > authorization request in a DER message? Specifically, I would like to > > be able to query for a set of attributes about the entity that was > > authorized as oppose to get the fact they are authorized. > > Yes, this is possible. > > Some problems we are dealing with in RADIUS, such as the fragmentation > issue, does not exist in Diameter due to the TCP transport.
Ok - I am slightly confused. When I look at the answer ABNF - it has both a SAML-AuthnResponse and a SAML-Assertion. However the request ABNF - it only has SAML-AuthnRequest but not the SAML-Assertion. I read this as saying that one should/could not include the SAML-Assertion at this point. > > > > > 2. Does Diameter give any way of sending the keys around that are to > > be used for doing the xml encryption operation? I understand that > > diameter is more point-to-point than RADIUS but I do not know that to > > be a fact. > > Does > > this mean that there is more likely to have end-to-end signing and > > encryption capabilities present? > > Diameter also exchanges keys in the same manner as RADIUS does. This is, > for example, used for the Diameter EAP application. These keys are, > however, secured only in a hop-by-hop fashion (and not end-to-end; the > ends are Diameter client and Diameter server). > > Currently, there is no standard for e2e AVP encryption in Diameter natively > although there are discussions ongoing to do some work in the DIME working > group. Two relevant contributions for that matter are: > > http://datatracker.ietf.org/doc/draft-korhonen-dime-e2e-security/ > http://datatracker.ietf.org/doc/draft-zorn-dime-n2n-sec-lite/ > > (Note that the scope of the two drafts is a bit different.) > But back to my original question - where would the xml encryption process get it's keys? Jim > > > > 3. Is there a concept of proxies that sit on boundaries that could > > modify the SAML constructs to deal with mapping of attributes? > > There are proxies in Diameter but what they specifically do with certain AVPs > depends very much on the application. The document I have submitted > describes such an application but does not describe such operation. > > Ciao > Hannes > > > > > Jim > > > > > > _______________________________________________ > > abfab mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
