I too would like to figure out what the questions are. The draft is not
about carrying "authorizations" in TLS, or that "The main issue with
these authorization extensions inside TLS is that they happen at the
wrong layer" as stated by Hannes Tschofenig.
Authorization happens at the application layer. Data is transported at
the transport layer. The draft is about carrying data (SAML assertions,
attribute certificates, or pointers thereto) that can be used or ignored
by applications when those applications make authorization decisions.
What application domain is involved when I hand someone a certificate
(driver's license) stating that I was born on MMDDYYYY? It only becomes
part of an application domain when the "someone" is instantiated as a
store clerk who needs to decide whether I am authorized to buy
cigarettes or liquor. The clerk is doing the authorization, not the
Since Mr. Anderson is so exercised about the word "authorization" in the
name of the I-D, perhaps it should be renamed
"draft-ietf-tls-attributes-07". That would avoid the IPR issues
entirely, since one can transport an attribute certificate without ever
using it to authorize anything.
From: Josh Howlett
My experience: authorization is often related to the specific
I agree insofar as 'authorisation' is often an exercise in making
statements using semantics that are specific to application domains, but
I don't believe it follows that the syntactical and transport elements
(that support the semantic expression) also need to be specific to the
Looking forward to see your solutions.
I have no answers; I'm still trying to figure out what the questions are
Ietf mailing list