IETF middleware highlights Leif Johansson SWAMI.se
IETF ● Internet Engineering Task Force ● Internet-Drafts turns into RFCs by magic:
NEA Patches? We don't need no stinkin' patches!
NEA ● Network Endpoint Assessment – Network Admission Control (NAC) – Trusted Network Connect (TNC) – Network Access Protection (NAP) ● Send host patch status to a PDP who decides if you get bits... ● Abstract protocol (most likely) with (primarily) EAP-bindings
NEA problems ● Lying clients ● Unclear problem statement ● What about IDSen or Anti-Virus software? ● Federated EAP – Home institution does NEA policy evaluation – SP should probably have a say on weather to allow the client to connect...
NEA & EduRoam ● NEA clients will probably conflict with 3 rd party EAP-clients – Tough luck.. ● NEA may not understand federations – Probably fixable (if NEA is chartered)
EMU Billions and billions of mechanisms...
EMU ● EAP-TLS to standards-track – ... won't affect Vista though :-( ● Additional mechanisms – Strong shared-secret – Password-based
SAML And SAML shall inherit the protocol stack...
Worth notice... ● draft-housley-tls-authz-extns-07.txt ● krb-wg – anonymity – PADATA authz data (cf Active Directory) ● dix – self-asserted identity SAML profile? ● SIP SAML Profile – draft-ietf-sip-saml-00.txt
WAE We got your phish right here...
WAE (BOF) ● Web Authentication Enhancements – The ”Elliots-dad”-problem – Phishing-protection (ie service auth) – Even more SAML – DIX ● openid ● yars ● dixs – ”I own my blog”-authentication
Channel Bindings Layering violations for fun and profit!
Channel Bindings ● Layering violations for fun and profit ● Originated in NFSv4 & IP storage – Reuse of secure channels – Making ”lets just use IPSec” kosher ● BTNS (better than nothing security) – leap-of-faith – ssh-semantics
Channel examples ● IPSec + GSSAPI ● TLS + Digest-MD5 ● HTTPS+Negotiate
Q?
Recommend
More recommend