IETF 78
Maastricht
27 July 2010
Josh Howlett, JANET(UK)
Background Rapid development of trust and identity infrastructure
and services Campus:
LDAP & IdM, 802.1X, EAP, RADIUS, X.509, SAML, Kerberos… National:
JANET Certificate Service (X.509) JANET Roaming Service (AAA / EAP / 802.1X) (eduroam) UK Access Management Federation (SAML).
International: eduroam eduGAIN Grid
Increasingly complex technical landscape. Increasingly demanding user requirements.
Project Moonshot in a slide• Phase 1-3 (Jan Mar 2010)
• Independent technical Feasibility Analysis.• EAP GSS and other initial drafts (IETF & OASIS).• Bar BoF @ IETF 77.
• Phase 4 (April May 2010)• Draft of project plan.• Request BoF @ IETF 78.
• Phase 5 (June July 2010)• Detailed project plan.• Prepare for BoF @ IETF 78.
• Phase 6 (August 2010 August 2011)• http://www.project-moonshot.org/plan
Technology choices
• SAML provides authorisation and attributes.
• GSS-API mechanism for application integration.
• EAP authentication encapsulated in GSS-API to gain existing credential support.
• RADIUS transport provides federation.
Supplicant
EAP lowerLayer(e.g.,
802.11i)
AAA
EAP lowerLayer(e.g.,
802.11i)
AAA
EAP server
Peer Authenticator EAP server
Network access
EAP method
EAP
MSK
EAP MSK
Supplicant
AAA AAA
EAP server
Client Server EAP server
GSS-API
Clientapplication
GSS-API
Serverapplication
Moonshot: non-Web SSOEA
P M
SK
EAP MSK
Supplicant
AAA AAA
EAP server
Client Server EAP server
GSS-API
Clientapplication
GSS-API
Serverapplication
Moonshot: non-Web SSO
• draft-howlett-radiussaml-attr• sstc-saml-binding-aaa-draft
• draft-howlett-eap-gss• draft-hartman-gss-eap-naming
• IETF architecture document •sstc-saml-eapgss-sso-draft
Project Moonshot Goals• Standardised technical architecture.
• Production-quality open-source implementation.
• Packaged and shipped with Debian Linux.
• A test-bed for interoperability testing.
• High quality documentation.
• An active community of users and developers.
Discuss!