On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
> Hi Sam,
>
> thanks for the review. See my comments below.
>
> El 17/02/15 a las 23:49, Sam Hartman escribió:
>>
>> Section 4:
>>
>> I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
>> Current text says recommended.
>
> Whereas version -09 stated once (in section 5.2) that the use of TLS was
> REQUIRED, along the rest of text it indicated several times this support
> as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them
> to the prevailing one.
>
> Nevertheless, I think that making TLS a MUST might be limiting. There
> might be some use case scenarios for this profile where using TLS is not
> actually required (e.g. other security mechanisms apply). I would see
> that kind of requirement more for the ABFAB architecture level than for
> this I-D level. Moreover, in the saml-profiles-2.0-os document, the use
> of TLS is indicated as RECOMMENDED.
Speaking as an individual I don't think there are any sane reasons not
to use TLS if you relax the requirements on credentials administration
(eg run oportunistic TLS). Having said that I think probably RECOMMENDED
is strong enough anyway.
>
>>
>> Section 6.3.3:
>>
>> I would like to state for the record that I believe interlinking the
>> SAML and EAP authentications to permit the SAML request to affect things
>> like TLS resumption and authentication freshness is problematic and
>> will lead to implementation failures (or simply be ignored).
>>
>> I would prefer we not take that approach. However the sense of the room
>> was against me when this was last discussed.
>> I do think an explicit consensus call by chairs if we have not already
>> made such a call would be valuable. I expect that it's likely I'm in
>> the rough.
>
> I'm ok with such a call, but I'd like to know more about the problems
> you would expect.
> As I see it, if the IdP cannot/won't address the constraints called in
> the AuthnRequest message, it MUST (SHOULD perhaps?) generate an
> authentication error.
I can make such a call if we have a clear enough statement to call
consensus on.
MVH leifj
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
