> -----Original Message----- > From: abfab [mailto:[email protected]] On Behalf Of Alejandro Perez > Mendez > Sent: Thursday, February 19, 2015 6:16 AM > To: [email protected] > Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10 > > > El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió: > > > >> On 19 Feb 2015, at 09:56, Leif Johansson <[email protected]> wrote: > >> > >> On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote: > >>> Hi Sam, > >>> > >>> thanks for the review. See my comments below. > >>> > >>> El 17/02/15 a las 23:49, Sam Hartman escribió: > >>>> Section 4: > >>>> > >>>> I thought we were going to make RADIUS over TLS a MUST not a > SHOULD. > >>>> Current text says recommended. > >>> Whereas version -09 stated once (in section 5.2) that the use of TLS > >>> was REQUIRED, along the rest of text it indicated several times this > >>> support as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just > >>> homogenized them to the prevailing one. > >>> > >>> Nevertheless, I think that making TLS a MUST might be limiting. > >>> There might be some use case scenarios for this profile where using > >>> TLS is not actually required (e.g. other security mechanisms apply). > >>> I would see that kind of requirement more for the ABFAB architecture > >>> level than for this I-D level. Moreover, in the saml-profiles-2.0-os > >>> document, the use of TLS is indicated as RECOMMENDED. > >> Speaking as an individual I don't think there are any sane reasons > >> not to use TLS if you relax the requirements on credentials > >> administration (eg run oportunistic TLS). Having said that I think > >> probably RECOMMENDED is strong enough anyway. > > speaking as another individual, you could go the route that other drafts > have taken and say something like: > > > > TLS is REQUIRED unless alternative methods are used to ensure > confidentiality like IPSEC tunnels or a sufficiently secure internal network. > > That text sounds quite reasonable to me. I was also thinking in including DTLS > as an alternative.
In my mind DTLS would be acceptable if one says TLS is required. They are the same basic mechanism in my mind. However the use of DTLS in this scenario is going to be somewhat problematic as it would lead to even more fragmenting. The big reason for using TLS/IP rather than DTLS is the upcoming support for large packets. Not clear that the large packet draft is written to allow it to be used in a non-TLS situation. Probably need to verify that it is if we want to include things like IPsec as options Jim > > Regards, > Alejandro > > > > Klaas > > > > > > _______________________________________________ > > abfab mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/abfab > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
