Hi Sam, all: I was wondering what would happen if a current deployment is not using radsec. Is it not too much restrictive to set MUST for radsec?. (In fact, as you mention, it is an experimental RFC)
I would say that if Radsec is available MUST be used and SAML signature MAY be used. But if Radsec is not deployed SAML signature MUST be used. Or in general if end-to-end security is deployed SAML signature is not required. Best regards. P.D: Perhaps, this is what you are trying to say and I misunderstood your statement. El 08/11/2012, a las 20:42, Sam Hartman escribió: > > > Folks, I've been thinking about the mandatory to implement signature > validation issue. The more I think about it, the more I agree with > stephen and Scott that end-to-end security is important for ABFAB. It > won't always be used; just as with other technologies, people will > sometimes want to introduce middleboxes. However it's important to have > a way of talking to the ends. > > However, I think SAML signatures are the wrong level to accomplish > thit. > The issue is that there's a lot of important stuff in ABFAB that comes > in AAA not SAML. > All the concerns about SAML can apply to the AAA elements. > > I was asking myself why Moonshot doesn't worry about this. > Then I realized that we do. > we're going out of our way to set up end-to-end RADSEC. > We get protection of the SAML, but we also get protection of the AAA > attributes. > > RADSEC can be used in a hop-by-hop manner. However, RADSEC is specified > with a lot of thought towards enabling end-to-end uses. Multiple > technologies, including the dynamic SRV-based mechanism and Moonshot's > trust router are evolving to make end-to-end RADSEC easier to deploy. > > So, I think that RADSEC is a better MTI security technology for ABFAB > than signature validation. > I'd prefer to make RADSEC a MUST and SAML signature validation a SHOULD. > > I've run this by Alan, Josh, Scott and Jim. They seemed to like the > idea, so I'm presenting it here. > > Note that there is a process issue with RADSEC; it's not > standards-track. Let's assume for the moment that I can come up with a > solution to that (I believe I have two avenues to approach) > do we believe that if we can make it work that would be the right > technical approach? > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
