Hi, I could simple say the usual "+1", but given my chatty personality, let me say I fully support the idea of E2E RADSEC.
On 8 Nov 2012, at 14:42 , Sam Hartman wrote: > > > Folks, I've been thinking about the mandatory to implement signature > validation issue. The more I think about it, the more I agree with > stephen and Scott that end-to-end security is important for ABFAB. It > won't always be used; just as with other technologies, people will > sometimes want to introduce middleboxes. However it's important to have > a way of talking to the ends. > > However, I think SAML signatures are the wrong level to accomplish > thit. > The issue is that there's a lot of important stuff in ABFAB that comes > in AAA not SAML. > All the concerns about SAML can apply to the AAA elements. > > I was asking myself why Moonshot doesn't worry about this. > Then I realized that we do. > we're going out of our way to set up end-to-end RADSEC. > We get protection of the SAML, but we also get protection of the AAA > attributes. > > RADSEC can be used in a hop-by-hop manner. However, RADSEC is specified > with a lot of thought towards enabling end-to-end uses. Multiple > technologies, including the dynamic SRV-based mechanism and Moonshot's > trust router are evolving to make end-to-end RADSEC easier to deploy. > > So, I think that RADSEC is a better MTI security technology for ABFAB > than signature validation. > I'd prefer to make RADSEC a MUST and SAML signature validation a SHOULD. > > I've run this by Alan, Josh, Scott and Jim. They seemed to like the > idea, so I'm presenting it here. > > Note that there is a process issue with RADSEC; it's not > standards-track. Let's assume for the moment that I can come up with a > solution to that (I believe I have two avenues to approach) > do we believe that if we can make it work that would be the right > technical approach? > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: [email protected] Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------------- ________________________________ Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at: http://www.tid.es/ES/PAGINAS/disclaimer.aspx _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
