[08:35:22] Klaas Wierenga joins the room [08:59:22] Klaas Wierenga leaves the room [09:17:28] Klaas Wierenga joins the room [09:45:42] Klaas Wierenga leaves the room [12:56:42] Alan DeKok joins the room [13:04:04] can we do a check to see how much the audio is delayed? In some other WGs, it's been 5-6 seconds, which makes it difficult to give timely feedback [13:05:58] rafa.marinlopez joins the room [13:06:04] mrex joins the room [13:07:02] alejandro.perez.mendez joins the room [13:07:39] Klaas Wierenga joins the room [13:08:02] David Cooper joins the room [13:11:46] Melinda joins the room [13:12:03] sftcd joins the room [13:12:32] hartmans joins the room [13:13:39] Martin, thanks for joining us. [13:14:38] Simon Josefsson joins the room [13:14:42] jimsch1 joins the room [13:15:17] lef.jp joins the room [13:15:24] lellel joins the room [13:15:41] I can hear the mike [13:16:12] jhutz@jis.mit.edu/owl joins the room [13:17:38] jhutz@jis.mit.edu/owl has set the subject to: ABFAB WG | http://tools.ietf.org/wg/abfab/ [13:18:06] lukeh joins the room [13:18:14] leifj joins the room [13:18:55] Klaas Wierenga leaves the room [13:19:44] And also SAML helps with multiple attribute provider, delegation and a lot of other complex use cases. [13:20:03] (I don't want anything relayed obviously since I'm sitting here) [13:22:07] perhaps somebody could relay for lukeh? [13:22:40] Linus Nordberg joins the room [13:24:06] I haven't seen anything from luke. certainly I'll relay if needed. [13:24:22] just listening,thanks. [13:24:41] is the audio ok? [13:25:02] audio is fantastic [13:25:03] leifj: great on 3rd row [13:25:06] slides available? [13:25:18] it's like I'm in the room, incredible. [13:25:21] https://datatracker.ietf.org/meeting/80/materials.html [13:29:32] tlyu joins the room [13:32:31] semery joins the room [13:37:24] As I understand, what Microsoft is doing with HTTP Negotiate (rfc4559) is to use TLS channel bindings for Kerberos, and with Kerberos, the channel bindings are transferred in a protected fashion to the acceptor, and the acceptor can therefore apply discretion of using or ignoring the channel bindings checksum based on what the acceptor side application caller has supplied through the GSS-API -- and similar with the absence of initiator-supplied channel bindings [13:38:38] Martin, that is my understanding too. [13:38:49] I'm proposing adding a way to do that in GSS for mechanisms that can support that. [13:39:00] that approach does not work if a password-based gssapi mechanism adds the channel-bindings in some kind of challenge approach [13:39:30] If it is in the challenge it does not work. [13:39:53] However, we don't have any standards track mechanisms that do that. For example, scram includes it in client->server but not in the challenge. [13:40:00] So, yes, it would have to be an optional service. [13:40:16] I don't think any of the standards-track mechanisms we have or are likely to have will have that problem. [13:40:37] jhutz: agreed. [13:40:47] I think even LIPKI will be fine for this. [13:41:46] Fabian Mauchle joins the room [13:42:30] Particularly, I think we care about Kerberos, IAKERB, PKU2U, SCRAM, whatever you're calling the EAP-based thing for abfab. Maybe some SPKM thing; I'm not sure. [13:42:46] For protection from an active attacker, the optional channel bindings needs to be protected so that it can't be removed from the authentication, and the initiator must protect all other authentication environments from being able to force creation of a compatible authentication request without channel bindings [13:42:53] Interestingly, all of those use 4120 message tokens. hm. [13:43:12] Yes, Martin, we know how channel bindings work. [13:44:13] Martin, thanks for stating it so cleraly. [13:44:32] While I agree with Jeff that we do know that, it's very useful to have it clearly stated for security considerations. [13:44:48] It's not "campus services" that are interesting. It's federated access to systems in my department for my users' colleagues at other institutions that they are collaborating with. I was at least half serious when I mentioned AFS. [13:45:00] I'm sorry -- I did not mean to imply by any means that you did not know that. [13:46:00] jhutz: No actually we have had one person really mean campus services [13:46:02] within a campus. [13:46:08] Yeah, me too -- Sam is right, and I think you may have just contributed to the security considerations text. :-) [13:46:58] Oh, sure, but Rhys asked for a concrete use case, and I think we have one -- we constantly have requests from users to create accounts for colleagues from other institutions so they can access files, log in to machines, etc. [13:48:23] Agree with Jerry about the "campus scenario" vision [13:48:23] Klaas Wierenga joins the room [13:48:36] Klaas Wierenga leaves the room [13:49:42] kouril joins the room [13:50:23] who? [13:50:35] sorry Jeffrey [13:50:37] look at slides for names [13:51:27] Klaas Wierenga joins the room [13:52:46] radsec server support should be available soon [13:53:22] Are you actually in the meeting room? [13:54:13] What, an upside down diagram? ;) [13:55:03] I'm remote [13:56:21] Hey, look! Abstractions are actually useful! [14:00:33] Also, we probably need to generalise it. gss_acquire_cred_ex() that takes OID, opaque data. That means we can probably do impersonate_name, acquire_cred_with_cert, etc. [14:01:07] Thomas Roessler joins the room [14:01:22] leifj leaves the room [14:01:38] leifj joins the room [14:02:32] Do you want channelling, luke? [14:02:43] Don't worry. [14:03:17] tlyu leaves the room [14:03:25] David Cooper leaves the room [14:03:34] sftcd leaves the room [14:03:34] Ted Ts'o had sent a proposal for a callback from gss_acquire_cred() using a new variant of gss_acquire_cred() with an additional callback function parameter [14:03:39] Alan DeKok leaves the room [14:03:42] jimsch1 leaves the room [14:03:46] lellel leaves the room [14:03:46] Yeah, there is something like that in Heimdal but it's not complete. [14:03:49] to the CAT mailing list [14:04:07] it was around 1999 [14:04:15] goodness me [14:05:19] 13-Jan-1999 -- I don't know whether there is a CAT mailing list archive accessible online so that one could reference that message/discussion directly via URL [14:06:56] hartmans leaves the room: Disconnected [14:06:56] actually it was a new seperate API call "gss_register_conv_function()" that'll cause the callback during gss_acquire_cred() it seems [14:07:40] Linus Nordberg leaves the room [14:08:15] rafa.marinlopez leaves the room [14:10:07] kouril leaves the room [14:10:55] alejandro.perez.mendez leaves the room [14:13:00] Thomas Roessler leaves the room [14:13:18] Thomas Roessler joins the room [14:14:31] Thomas Roessler leaves the room: Replaced by new connection [14:14:33] Thomas Roessler joins the room [14:14:36] leifj leaves the room [14:15:40] semery leaves the room: Disconnected [14:17:12] Melinda leaves the room [14:17:58] lef.jp leaves the room [14:18:11] Thomas Roessler leaves the room [14:18:36] jimsch1 joins the room [14:18:39] Klaas Wierenga leaves the room [14:18:58] jimsch1 leaves the room [14:20:03] Simon Josefsson leaves the room [14:21:35] Fabian Mauchle leaves the room [14:26:05] semery joins the room [14:26:29] lukeh leaves the room [14:42:52] lef.mutualauth joins the room [14:45:19] semery leaves the room [14:59:50] lef.mutualauth leaves the room [15:00:21] Simon Josefsson joins the room [15:02:00] Klaas Wierenga joins the room [15:02:15] OK, that's interesting. I was just thinking of something along those lines near the end of today's session, though I don't remember if I actually said anything about it to anyone. [15:19:39] Klaas Wierenga leaves the room [15:24:10] Tomas Podermanski joins the room [15:24:20] Tomas Podermanski leaves the room [15:38:35] Simon Josefsson leaves the room [18:06:12] DaveM joins the room [18:06:33] DaveM leaves the room [18:07:03] jhutz@jis.mit.edu/owl leaves the room [19:17:32] Klaas Wierenga joins the room [19:17:46] Klaas Wierenga leaves the room [22:58:40] mrex leaves the room