Minutes for ABFAB at IETF-93
minutes-93-abfab-1
| Meeting Minutes | Application Bridging for Federated Access Beyond web (abfab) WG | |
|---|---|---|
| Date and time | 2015-07-20 15:40 | |
| Title | Minutes for ABFAB at IETF-93 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2015-07-20 |
minutes-93-abfab-1
ABFAB Notes IETF93
===========
* UI Considerations
+ 3-minute summary
+ Document has been revved based on feedback
+ More comments forthcoming
+ Anticipate getting it finished this week
- Leif hopes for WGLC by this Friday
- And writeup stage before September
* AAA-SAML
+ Main issue: mapping between SAML names and AAA names
- Proposal went out yesterday
+ Other relevant issues
- Include a nomenclature table (done)
- Change the name of "SAML Message Attribute" to "SAML Protocol"
- Q: Are domain-only NAI representations allowed in the Network Access
Identifier Name Identifier Format?
- A1: NAI allows that
- A2: If we don't allow that, we'd need another convention for anonymous
naming, so might as well use the one that exists
- Q: Should section 6.1 Confirmation Method identifiers also refer to the
ones in section 8.1?
> A: Jim got an answer from Scott, then forgot it
+ Proposal for wrapping SAML in RADIUS data
+ Proposal to name an AAA identity using a URI
- Sam didn't like that.
- Go through an example RP metadata
+ Sam at mike: Thanks to Alejandro for moving this forward
- Registering a RADIUS URI? Might be difficult.
- Want to discuss the metadata structure - if the registering were easy,
would this be what we want?
> Leif: This looks pretty close to what he would like
> Leif: Do we need a role descriptor for this? Use the one that already
exists, but does it need a different binding?
- Trying to register will be a lot of work
> Especially for a URI scheme without hostname or port or such
> We'll have to talk to APPS and RADExt more than we want to
> Q: Could we add extra attributes?
o Want to specify a placeholder URI for now, and replace it in the
future if we need. o The endpoint type has a required binding location;
response location is optional; local namespace attributes can be added
o Propose to define a URN that indicates that location is
context-dependant o Define a location that is "NO" o Attributes for
NAI, NSID, GSS Name o This gets us out of defining a new URI o This
also allows the use of a location URI, if someone comes up with it
eventually. o Maybe put extensions on the RoleDescriptor types.
> If RoleDescriptor doesn't need an endpoint, why don't we just get rid
of the URN and stick it in the RoleDescriptor?
o Leif: Yeah, they don't need endpoints
o Alejandro thinks that he knows how to move forward on that
o Sam is in favor
o Jim Shaad: So, basically we're splitting the name into other pieces?
o Leif: We're much more worried about binding the name to a key
o Leif: We're going to have to do cross-review with SSTC / OASIS
> Who will take this to the SSTC / OASIS?
* Extra scheduled work
+ Stefan Paetow's presentation
- SSH as a use case
- Use ABFAB to do domain transitions
- Log in to one system, then use that system to access further systems
- Like SSH agent forwarding or XXXX from OAUTH
- Cheznet did a proof of concept of getting an EAP-TTLS token
- Interesting question: Can we get enough people to do the work?
> Need more than JISC and Painless Security people to get enough review
> ... and implementation!
* Where to go from here
+ Credential delegation
+ Ephemeral keying
+ Do we recharter with a couple of extension proposals?
> Does Stephen want to get rid of us desperately?
> Well, not desperately...
> Finish the current set of documents first
> Want to be finished by Yokohama
> Will people be at Yokohama? Or Buenos Aires?
> Maybe have an interim or virtual interim?
> Another option is to close the WG and have AD-sponsored documents for the
remainder
+ Consensus: Finish what we have, then have an interim meeting
* Open mike:
+ GSSWeb
> A chrome and firefox extension coupled with an apache module to do
GSS-EAP authentication
+ Launch of the academic service in the UK
> Corresponding GEANT project to do the same, turn it into a global service