IETF middleware highlights Leif Johansson SWAMI.se IETF Internet - - PowerPoint PPT Presentation

IETF middleware highlights

Leif Johansson SWAMI.se

IETF

• Internet Engineering Task Force
• Internet-Drafts turns into RFCs by magic:

NEA

Patches? We don't need no stinkin' patches!

NEA

• Network Endpoint Assessment

– Network Admission Control (NAC) – Trusted Network Connect (TNC) – Network Access Protection (NAP)

• Send host patch status to a PDP who

decides if you get bits...

• Abstract protocol (most likely) with

(primarily) EAP-bindings

NEA problems

• Lying clients
• Unclear problem statement
• What about IDSen or Anti-Virus software?
• Federated EAP

– Home institution does NEA policy evaluation – SP should probably have a say on weather to

allow the client to connect...

NEA & EduRoam

• NEA clients will probably conflict with 3rd

party EAP-clients

– Tough luck..

• NEA may not understand federations

– Probably fixable (if NEA is chartered)

EMU

Billions and billions of mechanisms...

EMU

• EAP-TLS to standards-track

– ... won't affect Vista though :-(

• Additional mechanisms

– Strong shared-secret – Password-based

SAML

And SAML shall inherit the protocol stack...

Worth notice...

• draft-housley-tls-authz-extns-07.txt
• krb-wg

– anonymity – PADATA authz data (cf Active Directory)

• dix

– self-asserted identity SAML profile?

• SIP SAML Profile

– draft-ietf-sip-saml-00.txt

WAE

We got your phish right here...

WAE (BOF)

• Web Authentication Enhancements

– The ”Elliots-dad”-problem – Phishing-protection (ie service auth) – Even more SAML – DIX

• openid
• yars
• dixs

– ”I own my blog”-authentication

Channel Bindings

Layering violations for fun and profit!

Channel Bindings

• Layering violations for fun and profit
• Originated in NFSv4 & IP storage

– Reuse of secure channels – Making ”lets just use IPSec” kosher

• BTNS (better than nothing security)

– leap-of-faith – ssh-semantics

Channel examples

• IPSec + GSSAPI
• TLS + Digest-MD5
• HTTPS+Negotiate

Q?