Hi Hans,
Hannes wrote:
Melinda wrote:
and that there are
some non-trivial advantages to carrying authorizations in-band.
Namely...
I don't wish to speak for Melinda, but this is a view shared by many
within my own community.
I have a long list of applications, collected from within this
community, with which they would like to use SAML-based
authorisation;
Interesting. Any interest to share it with us?
I'm in the process of trying to flesh it out at the moment, in a
collaboration with some of the communities concerned, so that we can
articulate some concrete use-cases. At the moment the list covers pretty
much everything that is presently used in an Inter-Institutional context
(AFS, SSH, VNC, RDP, SIP, SMTP, NEA, ...).
and it seems to me that the ability for application
protocols to share
a common mechanism for expressing authorisation would mitigate or
perhaps even avoid the need to make application-specific
authorisation
extensions.
My experience: authorization is often related to the specific
application domain.
I agree insofar as 'authorisation' is often an exercise in making
statements using semantics that are specific to application domains, but
I don't believe it follows that the syntactical and transport elements
(that support the semantic expression) also need to be specific to the
application domain.
Furthermore, working on SIP SAML I noticed the problems when
you go down to specific solutions scenarios.
Can you expand?
(The fact that SAML-based Web SSO uses SAML that is bound to the
application-layer is, I believe, only an artifact of a
requirement to
avoid modifying contemporary Web browsers and I don't think it is an
approach that would necessarily be desirable for the general case.)
... a reasonable transition plan, in my view.
Sure.
The reason for the success of these IdM solutions,
particularly OpenID.
(Well - OpenID has been a flop in my opinion. It has its uses, but not
very interesting ones. But I digress...)
Binding authorisation to TLS, as suggested by this document, is one
approach that would satisfy the 'common mechanism'
requirement indicated previously.
Looking forward to see your solutions.
I have no answers; I'm still trying to figure out what the questions are
:-/
josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf