Hi Bob,
RL 'Bob' Morgan wrote:
> On Tue, 25 Oct 2005, Josh Howlett wrote:
>
>> Another angle: Shibboleth offers a great model for authorisation but
>> stinks at authentication (ie. the WAYF). Conversely, RADIUS/802.1X is
>> great at authentication, but its authorisation capabilities are
>> typically quite clunky compared to Shibb.
>
>
> This is an appealing 2x2 matrix, but I don't think it stands up under
> closer scrutiny.
<Closer scrutiny snipped>
I disagree and agree with various elements of your analysis, but I don't
want to consume large amounts of list bandwidth on a discussion that
might be construed as off-topic (or inflammatory; the word "stinks" was
perjorative and a poor choice made in haste). However, I'm happy to do
so if there's interest.
I did want to address a couple of your final, more general, points:
> In particular, when I talk to sites about 802.1x deployment, I hear that
> they are proceeding slowly because of client compatibility concerns,
> integration with backend authentication services, and in particular a
> concern about user experience.
I expect that your correspondents are reporting their experience of
Microsoft's WinXP implementation, which is limited in some respects.
This is, unfortuantely, most people's initial exposure to 802.1X and it
tends to taint their impression of it. Microsoft have indicated that
Vista will have a properly integrated 802.1X implementation.
>> It's possible that a convergence of 802.1X and Shibb could allow us to
>> extract the best from both approaches.
>
>
> This is certainly true, if we can focus on what the real benefits are.
How about a single network and application cross-domain AAA infrastructure?
josh.
|