El 19/02/15 a las 20:15, Jim Schaad escribió:
-----Original Message-----
From: abfab [mailto:[email protected]] On Behalf Of Alejandro Perez
Mendez
Sent: Thursday, February 19, 2015 6:16 AM
To: [email protected]
Subject: Re: [abfab] Review of draft-ietf-abfab-aaa-saml-10
El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió:
On 19 Feb 2015, at 09:56, Leif Johansson <[email protected]> wrote:
On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
Hi Sam,
thanks for the review. See my comments below.
El 17/02/15 a las 23:49, Sam Hartman escribió:
Section 4:
I thought we were going to make RADIUS over TLS a MUST not a
SHOULD.
Current text says recommended.
Whereas version -09 stated once (in section 5.2) that the use of TLS
was REQUIRED, along the rest of text it indicated several times this
support as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just
homogenized them to the prevailing one.
Nevertheless, I think that making TLS a MUST might be limiting.
There might be some use case scenarios for this profile where using
TLS is not actually required (e.g. other security mechanisms apply).
I would see that kind of requirement more for the ABFAB architecture
level than for this I-D level. Moreover, in the saml-profiles-2.0-os
document, the use of TLS is indicated as RECOMMENDED.
Speaking as an individual I don't think there are any sane reasons
not to use TLS if you relax the requirements on credentials
administration (eg run oportunistic TLS). Having said that I think
probably RECOMMENDED is strong enough anyway.
speaking as another individual, you could go the route that other drafts
have taken and say something like:
TLS is REQUIRED unless alternative methods are used to ensure
confidentiality like IPSEC tunnels or a sufficiently secure internal
network.
That text sounds quite reasonable to me. I was also thinking in including
DTLS
as an alternative.
In my mind DTLS would be acceptable if one says TLS is required. They are
the same basic mechanism in my mind. However the use of DTLS in this
scenario is going to be somewhat problematic as it would lead to even more
fragmenting. The big reason for using TLS/IP rather than DTLS is the
upcoming support for large packets.
Not clear that the large packet draft is written to allow it to be used in a
non-TLS situation. Probably need to verify that it is if we want to include
things like IPsec as options
We have our fragmentation draft for UDP, so that should not be a problem.
Regards,
Alejandro
Jim
Regards,
Alejandro
Klaas
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
