VidMid VC Conference Call May 17th, 2004
Nadim-El Khoury, UNC
Tyler Johnson, UNC
Jill Gemmill, UAB
Paul Hill, MIT
Jeanette Fielden, Internet2
Lisa Hogeboom, Internet2
Steve Olshansky, Internet2
Jonathon Tyman, Internet2
Tyler indicated that there was feedback from the submissions to the ITU Study Group 16 on federated secure Internet conferencing. It was considered an interesting contribution with a useful architecture, and that next generation multimedia applications could benefit from federations. They accepted it as a new work item with Tyler as the editor.
There were comments that there may other scenarios than those in the contribution. Interest was also expressed in working with IETF SIP for the federated approach as well as liaisoning with other interested groups. Federated authentication only would not be sufficient across federated domains. Federated authorization should be investigated too. It was not clear if federated authentication is endpoint agnostic and if device based authentication would be out of scope.
One comment was: they weren’t sure of the relationship of the submission to work in the IETF by Jon Peterson and Doug Sicker in the Sipping working group. Jill asked if there was a date when a new draft from the Sipping group would be available. A new version is in the works but when it will be released was not known.
Tyler’s understanding of the previous draft was that they are looking at federation within SIP and is authorization focused. Nadim indicated that H.323 approach comes down to authorization as well. Many vendors are doing things in their own way as well.
Jill stated the authorization attribute in H.350 is used for authorization but it is a service provider level authorization, which makes it limited. If UNC is hosting a conference on a MCU and you call into it, the decision to admit someone to the call is made at UNC, so attributes from another place may not be meaningful. There is an external authorization so Shibboleth can deliver these attributes. However, it is protocol specific: where it gets delivered, in what format and how it gets handled.
The concept of federation enables doing the local authentication, then the authorization decision. There are two models. One is the Shibboleth model where the users origin can provide attributes. The other is the Liberty Alliance model where the system gives enough information that the local attribute server can be used to decide authorization. Both Liberty Alliance and Shibboleth are working to converge on SAML 2.0, with one goal being to make them interoperable.
Scenario for Multi-point Conferencing
Nadim felt it would be more effective to talk about one scenario that identifies critical issues rather than trying to look at a large number of scenarios.
A scenario for consideration: Is a user is allowed to use an MCU and if so how would authorization work? Are there scenarios where each institution maintains its own attribute store? Do those attribute stores need to be synchronized? It would be in the interest of vendors to standardize attributes by application for efficiency, though attributes might vary by contract.
Would we want to say this resource is available to any student at an Internet2
In terms of video conferencing it may be said that at all these schools, if people are registered students, they should be able to access this material.
A call with invitees is more focused. Information for that would not be populated out into all the participating institutions directory services. The information would be with whomever sets up the conference call, though being able to lookup membership through a directory would extremely useful.
One consideration is: Is there a good place to latch into this concept in both Liberty Alliance and Shibboleth or will we have to add one more abstraction layer for videoconferencing so we can leverage off of things like Liberty and Shibboleth?
The ITU asked for additional scenarios without specifying what they are. It would be good to develop scenarios that look at the commercial world as well as the academic. It should be made clear which market a scenario is aimed at.
Nadim felt that the document was not solution oriented and was more a wish list to give vendors. The structure should read more like a standard and text is needed that more concretely shows the areas that will fail if vendor don’t incorporate compatibility layers.
Firewall/NAT traversal discussion
There are several proposals in the ITU for addressing firewall/NAT traversal. A number of them utilize address manipulation, proxies, and application level gateways, all of which will break with encryption on the call signaling. Rather than trying to develop an architecture, a liaison statement might be written outlining the middleware issues associated with firewall/NAT traversal.
Jill is attending the IMTC meeting this week and believes there is interest
in addressing the issue.
Tanberg is also interested in firewalls and federations.
NIST VoIP Document
The concern is that this is not the optimal architecture and may be an obstacle to a federated approach down the road.
Due to the Memorial Day holiday the next call will be June 14th 2004.