Re: [abfab] Proposal: mandatory radsec for draft-ietf-abfab-aaa-saml

Thu, 08 Nov 2012 12:24:06 -0800 

On 11/08/2012 08:42 PM, Sam Hartman wrote:
>
> Folks, I've been thinking about the mandatory to implement signature
> validation issue.  The more I think about it, the more I agree with
> stephen and Scott that end-to-end security is important for ABFAB.  It
> won't always be used; just as with other technologies, people will
> sometimes want to introduce middleboxes.  However it's important to have
> a way of talking to the ends.
>
> However,  I think SAML signatures are the wrong level to accomplish
> thit.
> The issue is that there's a lot of important stuff in ABFAB that comes
> in AAA not SAML.
> All the concerns about SAML can apply to the AAA elements.
>
> I was asking myself why Moonshot doesn't worry about this.
> Then I realized that we do.
> we're going out of our way to set up end-to-end RADSEC.
> We get protection of the SAML, but we also get protection of the  AAA
> attributes.
>
> RADSEC can be used in a hop-by-hop manner.  However, RADSEC is specified
> with a lot of thought towards enabling end-to-end uses.  Multiple
> technologies, including the dynamic SRV-based mechanism and Moonshot's
> trust router are evolving to make end-to-end RADSEC easier to deploy.
>
> So, I think that RADSEC is a better MTI security technology for  ABFAB
> than signature validation.
> I'd prefer to make RADSEC a MUST and SAML signature validation a SHOULD.
>
> I've run this by Alan, Josh, Scott and Jim.  They seemed to like the
> idea, so I'm presenting it here.
>
> Note that there is a process issue with RADSEC; it's not
> standards-track.  Let's assume for the moment that I can come up with a
> solution to that (I believe I have two avenues to approach)
> do we believe that if we can make it work that would be the right
> technical approach?
>
>

Speaking as an individual I'll note that currently RADSEC depends
on some form of public key management that is at least nominally
no better or worse than the key management you'd need to do this
using SAML.

            Cheers Leif
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab

Reply via email to