[We're also going to send this out to the OASIS SSTC chairs; they are
aware of our work, but obviously need to review this charter.]

Here's a straw man charter to get discussions of the charter started.
We'll submit whatever the current version is with our formal BOF request
early next week, but obviously, there is a lot of time to revise and
refine the charter before the proposal goes for review within the IESG
and IAB.

fedauth - Federated Authentication Beyond The Web

Description of Working Group:

Many technologies provide web federation or the ability for users from
one organization to access web services and sites offered by other
organizations.  These web federation technologies include OpenID,
Security Assertion Markup Language (SAML), OAuth, Information Cards and
others.  Web federation technologies typically provide some combination
of authentication, authorization and personalization services.

Based on experience with these technologies, users and organizations
would like to gain federated access to other applications such as IMAP,
XMPP, SSH, NFS and a variety of non-IETF protocols. This working group
is chartered to develop a solution to these problems .

In particular, one user community has come forward with requirements to
support SAML as a mechanism for managing authentication and
authorisation for non-web applications for both user and service
principals, such that a common mechanism can be used for both
user-to-service and service-to-service use cases. This working group will develop a solution using
the Extensible Authentication Protocol (RFC 3748), the Generic Security
Services Application Protocol Interface (GSS-API) (RFC 2743), SAML and
AAA protocols (such as RADIUS and Diameter) to provide federated
access to non-web applications.  The solution should address security
threats posed by phishing and other attacks against web authentication
systems.  It is desirable for the components of this system to be
reusable in other environments.  For example it would be desirable to be
able to extend the solution to support another authorization mechanism
besides SAML.

This work will require close coordination with
work going on in the OASIS Security Services Technical Committee
(SSTC).  There should be sufficient overlapping participation between
the SSTC and this working group for informal coordination.  The chairs
of this working group may work with the SSTC chairs in case formal
coordination is required.

The solution will be based on draft-howlett-eap-gss-00 and XXX Josh's
RADIUS attributes draft.  Through the normal consensus process the
working group can make changes from this starting point.

In addition, the working group will explore the usability and user
interface issues associated with federated authentication. The work is
not chartered to standardize protocols or recommend best current
practice in the area of usability. The working group should explore the
area and write informational documents describing the issues and
recommending appropriate work for the IETF in this area.

The deliverables of the working group are:

* An update to the EAP applicability statement in RFC 3748 describing
  the applicability of EAP to application authentication and placing
  appropriate requirements on this new EAP use case

* A standards track solution for using EAP methods to provide
  authentication within the GSS-API
* A standards-track protocol for carrying SAML messages in RADIUS

* A standards-track description of GSS names and name attributes
  required by the solution

* Informational descriptions of usability and user-interface concerns
  related to this work

* A protocol to use federated authentication to establish shared keys between AAAA endpoints