In the Plasma work effort we have spent much of the last month thinking about and doing some discussions on the question of delegated access. In the process we have located the following SAML document http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation-cs-01. pdf which discusses how to create a SAML statement which has the delegation information built in. This gives us what we need in order to do the evaluation on the RP about what delegation has occurred.
The problem is that there is currently no way to discuss the questions of delegation in the EAP protocols that I know of. This has not been a problem when we were looking at just the question of accessing a network; however the additional resources that we are now looking at because of ABFAB are now starting to make this an interesting question to looking at. The questions that I would have for the EMU group are: 1. Is there any interest in looking at the issues of how one requests a delegated access to occur? 2. What set of restrictions are going to be necessary for doing delegation. At present, since the only cases that I care about are going to be the ABFAB cases all I would actually need to the ability to say in one of the tunneled messages a simple statement to the effect that "I want delegate access to <name>" which would either be granted or denied. 3. If we do delegated access, what things other than the SAML statement returned in the ABFAB context need to be changed? 4. Do we need to be able to do both delegation, where the delegation process is understood by the RP, and impersonation where the RP may not be able to tell that the authenticated entity is not really the same as the named entity returned to the RP from the IdP. 5. Are there other issues that need to be discussed? Jim _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu