[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Registering AuthN Identifiers with IANA
Hal Lockhart wrote: > > > JeffH noted that there IS an existing registry of what are effectively > > "authentication types". This is the IANA-based registry of > > SASL mechanisms > > located here.. > > > > http://www.iana.org/assignments/sasl-mechanisms > > [...] > the SASL registry, as it stands, is not suitable for our needs [...] > we will have to do more than wave at the SASL list. Thanks for the investigation -- I nominally agree with the conclusion. I pointed at sasl-mechanisms for two reasons.. 1. in an admittedly off-the-cuff hope that perhaps we could "just use it", rather than having to invent something similar. 2. as an extant, real-world, example of what such a registry, and it's listed identifiers, looks like. My apologies that these motivations weren't explicitly made clear in the excerpt cited above. > 1. In order to use this registry, a SASL profile must be defined for each > [mechanism] to be registered. Not exactly. A careful read of section 6 of rfc2222 reveals that one perhaps can register SASL mechanism names without a coresponding document specifying a profile of SASL in the context of some other protocol (e.g. BEEP, LDAP, ICAP, etc). It appears that NTLM, NMAS_LOGIN, and NMAS_AUTHEN are examples of such. However, the semantic connotations of such a registration are that the registered mechanism is being used in conjunction with SASL-based implementations somewhere, plus there's no definite guarantee that IANA will indeed add essentially any requested mechanism names (aka AuthnType names) to the sasl-mechanisms registry. > 2. The list leaves a lot to be desired. HTTP basic auth is not defined. > (PLAIN is conceptually similar, but not the same.) Kerberos 5 is missing > along with its cousins DCE and MS-Kerberos. In fact, there is only one > mechanism defined (NTLM) for the 4 or 5 Microsoft AuthN protocols in common > use. There is no kind of PKI, nor biometrics. Perhaps another way to put it is that we see a need to define a superset of the set listed in sasl-mechanisms. > All we want to do is a register some identifiers. Here's a suggestion for how to proceed in the near term.. A. use the syntax of SASL mechanism identifiers as the syntax of SAML AuthnType; namely: strings, from 1 to 20 characters in length, consisting of upper-case letters, digits, hyphens, and/or underscores. B. create a simple list of AuthnTypes, materialized in a text file stored in some well-known (altho likely temporary-in-the-longer-term) location (e.g. http://www.oasis-open.org/committees/security-services/docs/). Initialize the list by subsumming the list of identifiers from sasl-mechanisms. Add to the list those identifiers we feel we need in the near term. E.g.. HTTP-BASIC HTTP-DIGEST KERBEROS-V5 KERBEROS-DCE KERBEROS-MS PKI-X.509 PKI-PGP ..etc.. ..see a prototype "SAML-AuthnTypes.txt" below. ..and in the longer term (tho this can and likely should actually be occuring in parallel to the above) .. C. Write an Internet-Draft (I-D) defining a "SAML Authentication Type Identifiers Registry" and specifying that IANA manage it. Incorporate the list from (B) into the new list. Specify in the I-D how the list is to be maintained -- e.g. how updates to it are submitted & vetted (e.g. http://www.ietf.org/rfc/rfc2434.txt details the stuff that needs to be considered here). Work in the IETF context to refine the I-D and have it issued as an RFC (as Informational?) and thus have IANA create & maintain the registry. Then migrate usage of the list created in (B) to the list created in (C). It's worthwhile to note that if we (SSTC), and OASIS overall, don't make use of IANA for such purposes, we'll have to spend time re-inventing arguably quite similar processes and documents (e.g. rfc2434). JeffH ----- > (As a final note, I noticed that the URL given in RFC2222 is no longer > valid. The one given above is correct.) Sigh. The URL in rfc2222 is.. ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-mechanisms/ ^ | Note the trailing slash -------------------------------------+ Some IANA person likely made a mistake when they migrated the IANA repository to being http-based. The above URL *without the trailing slash* resolves to a file that indeed specifies the new, currently correct http-based URL for sasl-mechanisms. I've pointed this out to the IANA folk, fwiw. ----- SAML-AuthnTypes.txt: SAML Authentication Type (AuthnType) Identifiers ------------------------------------------------ <introductory text here> SAML AuthnTypes are identified by strings, from 1 to 20 characters in length, consisting of upper-case letters, digits, hyphens, and/or underscores. NOTE: This list of AuthnTypes is a superset of those listed in.. http://www.iana.org/assignments/sasl-mechanisms At the time of last updating of this file, the sasl-mechanisms list consisted of these identifiers: KERBEROS_V4, GSSAPI, SKEY (OBSOLETE), EXTERNAL, CRAM-MD5, ANONYMOUS, OTP, GSS-SPNEGO, PLAIN, SECURID, NTLM, NMAS_LOGIN, NMAS_AUTHEN, DIGEST-MD5 SAML AuthnTypes OWNER REFERENCE ---------- ----- --------- [sasl-mechanisms] [sasl-mechanisms] HTTP-BASIC [SAML SPEC] HTTP-DIGEST [SAML SPEC] KERBEROS-V5 [SAML SPEC] KERBEROS-DCE [SAML SPEC] KERBEROS-MS [SAML SPEC] PKI-X.509 [SAML SPEC] PKI-PGP [SAML SPEC] References ---------- [SAML SPEC] <URL pointing to SAML spec> [sasl-mechanisms] http://www.iana.org/assignments/sasl-mechanisms (last updated 13-Jul-2001) ----- end
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC