co-chairs: Leif Johansson, Klaas Wierenga The abfab WG met in the morning session on Friday (29-7-'11). Note taker: 'RL' Bob Morgan There were a number of presentations on existing work as well as 3 presentations on new work. WG items and chartered work =========================== Core specs (Sam Hartman): -------------------------------------- The documents are in good shape, last versions include text on token format, state machine and channel binding. To do: - Clean up ABNF - Register URN name space (Jim Schaad volunteers to help with that) - Add example token from wire trace - Add OID for error codes Channel binding text is specific to RADIUS, need to make it Dimater compatible. Hannes Tschofennig, Mark Jones, Sam discuss where to put this (core drafts or in Diameter abfab doc. Leif urges authors to coordinate across docs, authors agree. More open issues: - make consistent with radext-radius-extensions - make naming extensions consistent with kitten mechanisms - attach contexts to attribute names to distinguish SAML attribute from Kerberos attribute? RLBob: solving problem of attribute provenance? research problem? Sam: boils down to sticking string on front of attar, so it will mean something to a human, need to be consistent with kitten Jim Schaad, Karen o'Donahue, Alan de Kok and Alexey Melnikov volunteer to review draft. Diameter draft (Mark Jones) -------------------------------------- continuing to work on draft ... EAP applicability statement (Klaas for Joe Salowey) ---------------------------------------------------------------------- There has been discussion on list, this will be incorporated. Needs review from EMU Expected to be ready for WGLC in September Architecture draft (chairs) ---------------------------------- Eliot proposes to remove normative language, resubmit Sam: offending text is already in mechanism draft Klaas: will accept as WG doc when new version is submitted OID registry (Rhys Smith) ---------------------------------- OID arc is assigned, no aspiring registrants yet Leif: should option OIDs in Luke Howard's work be there? Sam: option OIDs are just internal detail, will clarify with Luke UI considerations draft (Rhys Smith) ------------------------------------------------- 3 areas: - managing identities - automated/manual management of ids into client - handling usernames/pwds discussion: identities/identifiers/accounts/credentials, careful wording is needed here Leif: this is guidance to implementors for explaining things to users Mapping services to ids: - managing which identities are to be used with which services automated/manual/dis-associating - handling errors errors in any of the steps/components Sam: need to factor in limitations due to GSS hiding errors from clients and limitations on what users can handle also: should application or client UI ask for password? Leif: should look at draft-iab-identifier-comparison Sam Hartman, Jim Schaad, Lucy Lynch agree to review New work ======== gss-eap as Kerberos pre-authentication (Alejandro Perez) ------------------------------------------------------------------------------ Leif: this work is currently not being considered as WG work - Kerberos widely used, but not federated - use GSS-EAP for Kerberos pre-auth - transparent to existing Kerberized services "visited" KDC acts as GSS acceptor, EAP requestor, "home" KDC acts as EAP responder, can send SAML attrs for authz use after GSS authn, visited KDC could get additional attributes via SAML from home IdP visited KDC then packages up stuff for Kerberized app Sam: very cool, looking to adapt it to a problem he has ... Klaas: WG work? discussed with kitten and kerberos WG chairs and AD Propose not to decide now, wait until next IETF Sam, Leif and Klaas: explain the implications of handing over change control to IETF and urge authors to take this into consideration. Federated cross-layer access (Yinxing Wei) ----------------------------------------------------------- - leveraging mobile operator authentication for higher-level service access aka federated cross-layer access - telecom provider acts as IdP for Internet-typical services adopt this use case into abfab WG? Mark Jones: how relates to GBA? need to explain this in draft Hannes: seems like abfab as defined covers this case Leif: abfab use-cases doc cases are not as detailed as this one Yinxing: may not require any new technical work Klaas: unclear whether 3GPP/GBA work will just fit in with this case should further develop this case to try to show that Hannes: 3GPP working on other things besides GBA ... : but all framework is based on GBA Stephen Farrell (AD): Hoping it will turn into a more substantial draft Leif: please contribute short summary to use-case draft authors Yinxing: will do Multihop federations (Margaret Wasserman) ------------------------------------------------------------ - new work built on core abfab, not asking for it to be WG doc at this time - mechanism for automating trust establishment across multihop feds example RADIUS routing problem: finding ja.net use network routing analogy is radsec a solution? only if there's a single PKI underneath - KNP enables trust establishment transitively among AAA nodes see KNP draft for that - TrustRouter enables finding a useful path each KNP hop is a Trust Link TrustRouter designed to use KNP, but could be separated from it TrustRouter may use BGP-based algorithm, not BGP itself algorithm for calculating tree full example shown - TrustRouter and KNP shown to radext and OpsArea this week constructive feedback given Jim Schaad: what about ill-behaving AAA proxies in path? Margaret: that would be the end of the path, probably Jim: path to standardization? Margaret: would be part of a set of at least 3 docs: multihop arch; trust router; KNP so still work to do - don't want to impede abfab now could ask for recharter to include this work in November abfab-specific now, could be applied more widely, eg to radsec Sam: abfab arch doc mentions 3 kinds of trust mechs trust broker is just one milestone update (chairs) ---------------------------------- - Work is ongoing, we are in good shape - Interest in new work coming in, can't happen until current work finished - Have firm commitments to meet Sept 2011 deadlines for several drafts: use cases, EAP applicability, SAML in radius/diameter - December deadlines: Sam uncomfortable with December deadline for naming, Jan or Feb better GSS-EAP and architecture drafts fine - Feb 2012: usability and UI Meeting adjourned at 11:02 EDT Moonshot demo to follow Action Items and Volunteers =========================== - Jim Schaad volunteer to register URN under IETF namespace - Hannes Tschofenig, Mark Jones and core docs authors to address Diameter channel bindings - Review of core specs volunteers Karen O'Donahue Alexey Melnikov Alan DeKok Jim Schaad - Rhys Smith make explicit the fact that PADL oids are not supposed to be public read and ponder the IAB identifier draft - Review of UI Sam Hartman Lucy Lynch Jim Schaad - Alejandro and University of Murcia team Think about weather to bring the work to the IETF and talk to chairs of kitten, kerberos & abfab - Yinxing Send mail to list with 1 paragraph for the use-case document