IETF 78

Maastricht

27 July 2010

Josh Howlett, JANET(UK)

Background Rapid development of trust and identity infrastructure

and services Campus:

LDAP & IdM, 802.1X, EAP, RADIUS, X.509, SAML, Kerberos… National:

JANET Certificate Service (X.509) JANET Roaming Service (AAA / EAP / 802.1X) (eduroam) UK Access Management Federation (SAML).

International: eduroam eduGAIN Grid

Increasingly complex technical landscape. Increasingly demanding user requirements.

Project Moonshot in a slide• Phase 1-3 (Jan Mar 2010)

• Independent technical Feasibility Analysis.• EAP GSS and other initial drafts (IETF & OASIS).• Bar BoF @ IETF 77.

• Phase 4 (April May 2010)• Draft of project plan.• Request BoF @ IETF 78.

• Phase 5 (June July 2010)• Detailed project plan.• Prepare for BoF @ IETF 78.

• Phase 6 (August 2010 August 2011)• http://www.project-moonshot.org/plan

Technology choices

• SAML provides authorisation and attributes.

• GSS-API mechanism for application integration.

• EAP authentication encapsulated in GSS-API to gain existing credential support.

• RADIUS transport provides federation.

Supplicant

EAP lowerLayer(e.g.,

802.11i)

AAA

EAP lowerLayer(e.g.,

802.11i)

AAA

EAP server

Peer Authenticator EAP server

Network access

EAP method

EAP

MSK

EAP MSK

Supplicant

AAA AAA

EAP server

Client Server EAP server

GSS-API

Clientapplication

GSS-API

Serverapplication

Moonshot: non-Web SSOEA

P M

SK

EAP MSK

Supplicant

AAA AAA

EAP server

Client Server EAP server

GSS-API

Clientapplication

GSS-API

Serverapplication

Moonshot: non-Web SSO

• draft-howlett-radiussaml-attr• sstc-saml-binding-aaa-draft

• draft-howlett-eap-gss• draft-hartman-gss-eap-naming

• IETF architecture document •sstc-saml-eapgss-sso-draft

Project Moonshot Goals• Standardised technical architecture.

• Production-quality open-source implementation.

• Packaged and shipped with Debian Linux.

• A test-bed for interoperability testing.

• High quality documentation.

• An active community of users and developers.

Discuss!