I'm told there were around 30 people in the room. That seemed like a
good turn out for Thursday at 9 PM.
Many of the participants had already read some or all of the proposed
documents.
I presented a problem statement based on providing federated
authentication for non-web applications.
Two solutions were presented. I presented work on Moonshot, a
technology that combines EAP, GSS-API, RADIUS and SAML to solve the
problem. Eliot Lear and Klaas Wierenga presented a simpler solution
that uses browser-based SAML and Open ID.
The sense of the room was that these solutions compliment each other.
Moonshot requires more infrastructure and client configuration but
provides several advantages. The browser-based solutions are something
that requires fewer client changes.
Volunteers were collected from the EAP, GSS and RADIUS communities who
would be interested in working on these problems. Some of the work
discussed, possibly especially including the Open ID and SAML
browser-based solutions may be able to progress in kitten. I and I
believe several of the other Moonshot proponents would prefer to focus
the Moonshot work in one working group. Other solutions could also be
progressed in that group, although we should be careful not to slow down
work that could progress quickly in kitten by moving it into an
as-yet-unchartered group.
There seemed to be strong support for going forward. However, several
things to address in a BOF were raised with regard to the Moonshot work.
* Steve Bellovin pointed out that we need to be very aware of the
operational impact and how this fits with the operational model of the
technologies that are used/extended.
* Klaas pointed out that Moonshot involves changes to a lot of different
components. We need to make sure that there are incremental
advantages to each of these changes so they will be deployed: a system
where there is no benefit until the end when all the peaces fall
together is much harder to deploy.
* Klaas pointed out that we need to consider the operational security
around how RADIUS federations are deployed. If network access is not
considered sensitive today, people may be more lax in the security
surrounding their RADIUS infrastructure. If we use that
infrastructure to secure more sensitive resources we need to have
practices that tighten up the security of the infrastructure
sufficiently.
* Someone brought up that this is another one of those authentication
proposals where user-interface is critical. While we should not lay
out dialogues in the IETF, we're going to need to describe the
usability aspects of this enough to increase the probability of a good
security solution.
People specifically asked to look at the following:
* Complexity
* What can't be handled with simpler solutions
* Is Moonshot broad enough in scope?
* The UI questions
Since the bar BOF, there has been a lot of traffic on the list and work
continues.
We're definitely going to put together a BOF request for IETF 78.
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
