Re: [TLS] Authorization extension test server available
Russ Housley <housley@vigilsec.com> Thu, 22 February 2007 16:09 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HKGVH-000286-Mh; Thu, 22 Feb 2007 11:09:07 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HKGVG-00026Q-MB for tls@ietf.org; Thu, 22 Feb 2007 11:09:06 -0500
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HKGVE-000148-DB for tls@ietf.org; Thu, 22 Feb 2007 11:09:06 -0500
Received: (qmail 14809 invoked by uid 0); 22 Feb 2007 16:02:15 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (72.66.14.186) by woodstock.binhost.com with SMTP; 22 Feb 2007 16:02:15 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 22 Feb 2007 11:02:09 -0500
To: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Authorization extension test server available
In-Reply-To: <87tzxeilse.fsf@latte.josefsson.org>
References: <87tzxeilse.fsf@latte.josefsson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Message-Id: <E1HKGVH-000286-Mh@megatron.ietf.org>
Simon: >Hi all! GnuTLS now supports the TLS authorization extension, and I'm >wondering if anyone is interested in interop testing of this feature? > >Our public test server supports RFC 4680 and >draft-housley-tls-authz-extns-07 in case someone wants to point their >clients towards a server: > >http://www.gnu.org/software/gnutls/server.html Very cool. >It may be too late to change the specifications, but my comments after >implementing this were: > >- The size of authorization data, i.e., X.509 attribute certs and SAML > assertions, are limited to 64kb. Is it certain that we won't need > more? I have little experience with SAML, but 64K is a lot of space for attribute certificates. >- There is no discussion on authorization failures. Should the > handshake be aborted? This is complicated by the fact that the > authorization data is sent _before_ authentication data. Typically > you wait until authentication is complete before processing > authorization data. We discussed this while developing the specification. The current document is the cleanest way to use the extension mechanism that we could devise. And, no one offered a better alternative during the review process. Of course, implementation and deployment experience may show us a better way. If the authorization requirements are not satisfied, then the TLS session should be shutdown. I would expect the access_denied fatal alert to be used. Russ _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Authorization extension test server availab… Simon Josefsson
- Re: [TLS] Authorization extension test server ava… Russ Housley
- RE: [TLS] Authorization extension test server ava… Ari Medvinsky