[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Federated Authentication Beyond The Web: Problem Statement and Requirements

To: Klaas Wierenga <klaas@wierenga.net>
Subject: Re: Federated Authentication Beyond The Web: Problem Statement and Requirements
From: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
Date: Fri, 09 Jul 2010 19:30:23 +0200
Cc: radiusext@ops.ietf.org, dime@ietf.org
In-reply-to: <4C330810.6010003@wierenga.net>
References: <20100706091519.251510@gmx.net> <4C330810.6010003@wierenga.net>

Hi Klaas, 

sorry for the late response. 

Interesting statement. 

I agree that there are other approaches (and probably everyone would agree with that; we could even list Kerberos). 

However, the MOONSHOT BOF is (if I understood it correctly) constraint to the mentioned constraints. 

The usage of OpenID in SASL/GSS-API (like you pointed out) will be done in KITTEN independently and has different design constraints. 

Ciao
Hannes

> On 7/6/10 11:15 AM, Hannes Tschofenig wrote:
> 
> Hi Hannes,
> 
> > at the next IETF meeting we are going to have a BOF about "Federated
> Authentication Beyond The Web". In case you have not noticed the work relates
> to RADIUS and Diameter.
> >
> > I wrote this very short problem statement document to explain the
> purpose of the BOF:
> > http://www.ietf.org/internet-drafts/draft-tschofenig-moonshot-ps-00.txt
> >
> > Let me know if you find the description useful. Feedback about the BOF
> topic would also be appreciated.
> 
> I find the description useful, however I would like to challenge the 
> MUST for RADIUS and/or Diamter. There are a number of Federated 
> Authentication for applications access protocols out there, SAML, OpenID 
> and others. RADIUS and Diamter are typically associated with network 
> access. And while I do see the attractiveness of marrying the two (and 
> thus leveraging existing trust fabrics), I wonder why you want to 
> restrict a priori to just those. As an example 
> draft-cantor-ietf-sasl-saml-ec-00.txt, draft-lear-ietf-sasl-openid-00, 
> and draft-wierenga-ietf-sasl-saml-00 specify the use of federated 
> authentication in a SASL context. And services like eduroam are an 
> example of the use of just RADIUS to implement federated authentication 
> for non-web applications.
> I do understand that it is not possible nor desirable to take on 
> everything, but let's at least have this scoping discussion in the BoF.
> 
> Klaas
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Federated Authentication Beyond The Web: Problem Statement and Requirements
  - From: Klaas Wierenga <klaas@wierenga.net>

References:
- Federated Authentication Beyond The Web: Problem Statement and Requirements
  - From: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
- Re: Federated Authentication Beyond The Web: Problem Statement and Requirements
  - From: Klaas Wierenga <klaas@wierenga.net>

Prev by Date: [radext] #51: Repetition
Next by Date: [radext] #52: Basic vs. Complex Attributes
Previous by thread: Re: Federated Authentication Beyond The Web: Problem Statement and Requirements
Next by thread: Re: Federated Authentication Beyond The Web: Problem Statement and Requirements
Index(es):
- Date
- Thread