VidMid-VC-AuthN/Z Conference Call, May 28, 2002

*VidMid-VC-AuthN/Z Conference Call*
May 28, 2002

*Participants*

Ken Klingenstein -- Colorado/Internet2 (chair)
Tom Barton -- Memphis
Samir Chatterjee -- CGU
Nadim El-Khoury -- UNC
Lisa Hogeboom -- Internet2
Eric Neilson -- Sylantro
Steve Olshansky -- Internet2
Ann West -- Internet2
Mary Fran Yafchak -- SURA
Nate Klingenstein -- Internet2 (scribe)

*Discussion*

- web-based services -

Doug suggested that an end-to-end authentication system be built that is entirely web-based so that "you don't have to tinker with anything." A persistent problem that had faced the group was trying to handle some of the older videoconferencing boxes which had very little user interface or back-end ability to perform the authentication or authorization. Another challenge had been trying to wedge into legacy H.323 and SIP protocols authentication and authorization tokens and credentials, which is an extremely difficult problem.

A workaround was proposed which would be completely independent of the underlying call and protocols. The system developed would be essentially a web-based authenticated resource discovery system. The flows from a user's standpoint would be essentially as follows: Alice authenticates to her local security domain and registers her video client at her address, while Bob does the same. Then, Alice tries to initiate a call to Bob. Bob, who has a Java applet or similar client open and listening, hears through this client that there is a caller. If he accepts, then Alice is given Bob's IP address, and Alice is free to complete the call. Then, Alice places the call using her H.323 or SIP client in ordinary fashion with no authentication or authorization taking place in the call itself.

There are several use cases the group discussed that this does not address. The considerations of preventing spam or unsolicited calls are not included in this proposal, as there is no direct link between the call itself and the authenticated resource discovery associated with it. Calls between devices rather than individual users may be handled in a roundabout way by considering the devices themselves as users for resource discovery purposes.

This component may not be an eventual part of any designed authN/Z system, but the group felt it would still provide a glimpse of what a real system could do and would be useful in generating further effort and enthusiasm for future development efforts. [AI] Steve offered to do his best at drawing up an initial flows diagram to begin discussion about the specifics of the design.