[06:50:04] Klaas Wierenga joins the room [07:00:25] Melinda joins the room [07:00:28] Klaas Wierenga leaves the room [07:00:40] hartmans joins the room [07:00:41] jimsch joins the room [07:00:57] lef joins the room [07:02:31] Gabriel Lopez joins the room [07:02:39] lel joins the room [07:02:43] Rhys joins the room [07:03:32] Josh Howlett joins the room [07:03:59] Linus Nordberg joins the room [07:04:51] sftcd joins the room [07:05:24] Wolfgang Beck joins the room [07:06:02] barryleiba joins the room [07:07:05] leifj joins the room [07:10:17] alejandro.perez.mendez joins the room [07:10:58] lhoward joins the room [07:11:13] jhutz@jis.mit.edu/owl joins the room [07:12:13] lhoward leaves the room [07:12:27] lukeh joins the room [07:13:18] I'm here, but I'm at my folks for dinner so participation may be limited. [07:13:20] Rhys leaves the room [07:13:45] I think we do WELLKNOWN:ANONYMOUS in the current implementation (but we do set GSS_C_ANON_FLAG, and that's probably more important) [07:13:59] How's the audio? [07:14:35] semery joins the room [07:14:59] it's good and I'm over WiFi through several walls [07:15:03] Rhys joins the room [07:15:24] yeah, it's good for me too [07:16:28] OK, I'll shut up about Moonshot then :) [07:16:36] hhehe [07:17:39] let me know if you've got questions/comments to relay [07:17:59] thanks [07:18:35] lef leaves the room [07:19:02] lef.mutualauth joins the room [07:28:19] stpeter joins the room [07:29:07] slides link please? [07:29:44] http://tools.ietf.org/wg/abfab/agenda [07:30:03] drafts I can see, slides not [07:30:07] ah sorry [07:30:15] I cna't read [07:30:21] or write ;) [07:30:29] correct [07:30:34] http://www.ietf.org/proceedings/80/slides/abfab-8.pdf [07:31:00] currently on slide 7 [07:31:20] got it [07:33:31] Josh Howlett leaves the room [07:33:44] Josh Howlett joins the room [07:35:29] Hugh_Daniel joins the room [07:37:43] You could put that state in the channel bindings. [07:38:37] eburger joins the room [07:40:14] rafa.marinlopez joins the room [07:40:14] Option 5 would be to revise RFC 3961 [07:40:22] That demands a lot of implementors [07:40:27] Please channel [07:40:32] sure thing [07:41:33] The stuff that needs to be confirmed, could be put in GSS channel bindings, could it not? [07:42:41] Remind speakers to speek clearly into the mic. [07:43:09] Right [07:43:16] Finalize is compatible [07:43:33] I guess it mightn't work with CCM [07:43:46] Yeah, good point. [07:43:49] buckeyeskeeve joins the room [07:44:31] Yeah, what Jeff said, I'm not adding anything. [07:44:34] We can hear Malinda better now. [07:44:38] Satoru Kanno joins the room [07:45:38] I can think of something evil; it basically involves the server making up a key at the start of the exchange to use in computing the finish hash, and then conveying that key to the client at the end of the exchange. [07:46:04] But I'm not sure I'm thrilled about the server choosing that key unilaterally rather than involving the client in its selection. [07:46:56] onto http://tools.ietf.org/agenda/80/slides/abfab-9.pptx [07:47:21] jhutz: client contributes something. [07:47:35] Server computes k, but uses k2 = prf(client_contribution) [07:47:43] server discloses k client computse k2 [07:47:50] hartmans loves it [07:48:28] Oh, yes, you could do that, if the client provides its contribution in the first message. [07:49:19] Josh: this is just a standard RADIUS AVP, not one with an embedded type/length/value? [07:50:58] A question for Sam: sorry to backtrack, should GSS_C_NT_ANONYMOUS be set only for the completely empty name, or for @realm. [07:51:17] I answered that already. [07:51:23] You can set it only for fully anonymous names. [07:51:28] Great. [07:51:29] Thanks Jeff. [07:51:44] sorry. [07:51:45] we'll come back to that in a minute [07:51:47] thanks. [07:51:56] lukeh: only completely anonymous [07:52:11] RFC 6112 clarifies 2743 in this regard. [07:52:37] See the first paragraph of section 6 of RFC-to-be 6112 (aka draft-ietf-krb-wg-anon-12.txt) which describes how this works for Kerberos [07:52:53] Ditto for GSS_C_ANON_FLAG on acceptor or? [07:52:58] Sorry I should read the RFC. [07:53:09] Yes, the same. [07:53:12] Thanks [07:53:20] You should, preferably before it unblocks from AUTH48 :-) [07:56:52] http://tools.ietf.org/agenda/80/slides/abfab-6.ppt now [07:59:26] But it contains redundant information, does it not, because it could be understood from the XML? [08:03:28] It seems to me that if we the binding requires a request and response, then we can still have one attribute, and then the direction determines the type of message. [08:03:47] And why cannot it be extensible by virtue of the underlying XML? I don't know if there's a clear advantage for duplication of this information at the EAP layer. [08:04:04] Unless it's for simplicity of parsing, I can understand that. [08:05:03] in SAML we generally didn't duplicate the message type at the binding layer [08:05:09] Right. [08:05:17] in terms of directionality, though, some SAML bindings can actually flow "backwards" [08:05:29] relative to what one might expect anyway [08:05:55] Wolfgang Beck leaves the room [08:14:54] that is XACML [08:15:03] sftcd leaves the room [08:23:06] http://tools.ietf.org/agenda/80/slides/abfab-7.pptx [08:28:57] sftcd joins the room [08:29:49] lef.mutualauth leaves the room [08:29:50] lef.mutualauth joins the room [08:34:03] sftcd leaves the room [08:34:05] sftcd joins the room [08:36:33] sftcd leaves the room [08:36:35] sftcd joins the room [08:37:38] sftcd leaves the room [08:37:45] sftcd joins the room [08:38:49] h [08:43:06] lef.mutualauth leaves the room [08:47:06] so was this presented to radext or raised on that wg's list? [08:47:14] wolfgang.beck01 joins the room [08:49:04] did you hear that? [08:50:06] slide #? was at dinner [08:50:33] lukeh: "A single PKI for ABFAB deployuments?" [08:50:50] 13 [08:55:17] Not presented to radext, do you think it would be useful there? [08:55:31] nato that radsec (radius over tls) definitely has been discussed there. [08:57:08] I think if you're proposing to do key mgmt for radius (how I read this) then that needs to be discussed there, at minimum, before going anywhere [08:57:38] The key mgmt for radius is clearly in abfab's charter provided that we don't need to change radius to do it. [08:57:59] So, while I agree discussing it there would be fine if they are interested, I don't agree it's blocking. [08:58:09] The trust router is not clearly in our charter. [08:58:27] we may disagree on that, not saying we do at this point but needs clarification [08:58:39] I can make an argument that it fits, but it's not as strong as the argument for AAA key management [08:59:50] for the record, the charter text that we're talking about here is this: Concerns have been raised that additional work is required in keying AAA associations in a federated environment. The working group is chartered to explore these concerns and if needed, specify protocols that use existing AAA key management mechanisms to address these concerns. [08:59:53] I think sending mail to radext and soliciting comments as we're deciding whether to adopt would be a really good idea [09:15:06] I should not have read this mail from Josh during the meeting. [09:15:29] I did mean to burst out in uncontrollable laughter, it is unrelated to the wg. [09:18:03] sftcd leaves the room [09:18:34] sftcd joins the room [09:21:17] barryleiba leaves the room [09:23:17] ? [09:23:18] semery leaves the room: Disconnected [09:25:53] that won't be a problem, of course [09:27:24] lel leaves the room [09:27:25] jimsch leaves the room [09:28:11] wolfgang.beck01 leaves the room [09:28:41] Satoru Kanno leaves the room [09:29:41] eburger leaves the room [09:30:10] buckeyeskeeve leaves the room [09:30:16] stpeter leaves the room: Disconnected: connection closed [09:30:49] Klaas Wierenga joins the room [09:33:11] Rhys leaves the room [09:33:24] hartmans leaves the room [09:34:56] alejandro.perez.mendez leaves the room [09:35:34] lukeh leaves the room [09:37:54] Josh Howlett leaves the room [09:39:27] Josh Howlett joins the room [09:39:31] Linus Nordberg leaves the room [09:40:04] Gabriel Lopez leaves the room [09:41:34] sftcd leaves the room [09:43:47] Josh Howlett leaves the room [09:44:52] rafa.marinlopez leaves the room [09:45:34] Melinda leaves the room [09:48:26] Klaas Wierenga leaves the room [09:50:15] sftcd joins the room [09:57:24] leifj leaves the room [09:58:44] sftcd leaves the room: offline [10:04:57] lukeh joins the room [10:26:18] lukeh leaves the room [10:58:45] semery joins the room [10:59:00] semery leaves the room [11:04:40] stpeter joins the room [11:07:51] wolfgang.beck01 joins the room [11:08:00] wolfgang.beck01 leaves the room [11:13:33] leifj joins the room [11:17:30] Josh Howlett joins the room [11:31:43] Klaas Wierenga joins the room [11:52:21] leifj leaves the room [12:23:45] Josh Howlett leaves the room [13:22:50] stpeter leaves the room [13:36:25] Melinda joins the room [14:01:52] Melinda leaves the room [14:56:29] jhutz@jis.mit.edu/owl leaves the room [15:34:33] Hugh_Daniel leaves the room [16:45:02] Klaas Wierenga leaves the room