We've started some discussions of delegation in the moonshot project as well.
We're focusing more on the RP side of it. That is, how an RP obtains a credential to act as a delegated user, rather than the question of how we indicate to a down-stream RP that delegation has occurred. we were thinking of providing a RADIUS attribute for an RP to ask for a delegation credential. If that is supplied in an access-request then an IDP/AAA server MAY supply a credential and key in an access-accept. That credential could be used as an EAP credential (say with some PSK method--possibly TEAP with a PSK cipher) to attempt to act as a user. Then the IDP would be in a position to decide whether the delegation is permitted. This covers as much of delegation as AD gives you today. It does not have a rich conversation between the user and IDP about what delegation is required; for that you'd need to involve EMU in some way. Also, note that this is a form of cross-domain delegation. Within in a resource domain, I think it makes more sense for the RP to end up with a Kerberos ticket (in many cases at least). Just letting you know some thoughts going on elsewhere. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
