IETF Logo Mail Archive

Re: [kitten] comments on draft-ietf-kitten-sasl-saml-ec

"Cantor, Scott" <cantor.2@osu.edu> Mon, 10 March 2014 20:27 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D634E1A024B for <kitten@ietfa.amsl.com>; Mon, 10 Mar 2014 13:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnB0yHHqmaQE for <kitten@ietfa.amsl.com>; Mon, 10 Mar 2014 13:27:25 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe002.messaging.microsoft.com [216.32.180.12]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2431A04BC for <kitten@ietf.org>; Mon, 10 Mar 2014 13:27:24 -0700 (PDT)
Received: from mail229-va3-R.bigfish.com (10.7.14.247) by VA3EHSOBE010.bigfish.com (10.7.40.12) with Microsoft SMTP Server id 14.1.225.22; Mon, 10 Mar 2014 20:27:19 +0000
Received: from mail229-va3 (localhost [127.0.0.1]) by mail229-va3-R.bigfish.com (Postfix) with ESMTP id 79FD2B6012B; Mon, 10 Mar 2014 20:27:18 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.222; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf08; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzbb2dI98dI9371I1432Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzd9hz1de098h1de097hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h2216h22d0h2336h2438h2461h2476h2487h24d7h2516h2545h255eh25cch25f6h2605h1b1cn1b1bi1155h)
Received-SPF: pass (mail229-va3: domain of osu.edu designates 164.107.81.222 as permitted sender) client-ip=164.107.81.222; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf08 ; cio-tnc-pf08 ;
Received: from mail229-va3 (localhost.localdomain [127.0.0.1]) by mail229-va3 (MessageSwitch) id 1394483236169057_10101; Mon, 10 Mar 2014 20:27:16 +0000 (UTC)
Received: from VA3EHSMHS003.bigfish.com (unknown [10.7.14.232]) by mail229-va3.bigfish.com (Postfix) with ESMTP id 245DF340051; Mon, 10 Mar 2014 20:27:16 +0000 (UTC)
Received: from cio-tnc-pf08 (164.107.81.222) by VA3EHSMHS003.bigfish.com (10.7.99.13) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 10 Mar 2014 20:27:13 +0000
Received: from CIO-KRC-HT02.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by cio-tnc-pf08 (Postfix) with ESMTPS id 6E0462E0079; Mon, 10 Mar 2014 16:27:11 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.03.0174.001; Mon, 10 Mar 2014 16:27:11 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] comments on draft-ietf-kitten-sasl-saml-ec
Thread-Index: AQHPPJGI5mV+TEdtgEiWvASeMKVPmZra1dwA
Date: Mon, 10 Mar 2014 20:27:10 +0000
Message-ID: <CF439102.4B49C%cantor.2@osu.edu>
References: <tsllhwhq46t.fsf@mit.edu>
In-Reply-To: <tsllhwhq46t.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.178.26]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <89CD4B6338700D418C65FE277500B290@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/57gf9xbAZR2Df_3wUx6Xv_5SgoI
Subject: Re: [kitten] comments on draft-ietf-kitten-sasl-saml-ec
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 20:27:29 -0000

On 3/10/14, 2:49 PM, "Sam Hartman" <hartmans-ietf@mit.edu> wrote:

>I've reviewed the SAML EC draft.
>It was easy to read, and I appreciate the work that has gone into it.
>I would prefer to wait  for responses to these comments prior to issuing
>a WG LC.

Thank you for the review. Given the extensive comments, it's likely to
take me a little time to make changes since I'm not formally allocated any
time to work on this at the moment by my project.

Some responses at least....

>Section 1:
>
>A reference to the discovery/WAYF problem would be desirable but is not
>required.

I'm not sure any formal reference exists, other than perhaps to the actual
SAML profiles that (poorly) address it in the case of a browser.

>Section 3:
>In this mechanism, the client does not send the response to the RP at a
>location of the IDP's choosing but instead sends to a location of the
>client's choosing through SASL.
>What are the implications of this?
>
>I guess one is the attack Jim brought up and we discussed in ABFAB.

Yes, there is essentially a MITM issue if channel binding isn't done or a
session key isn't established and used.

>In the section on interactions with the IDP, there is no
>mandatory-to-implement mechanism specified for finding an IDP.  I'd
>appreciate comments from the WG on whether this lack is a problem in
>terms of guaranteeing that two implementations of this mechanism will be
>interoperable.
>Should we require something like support for static configuration of an
>IDP?

What does ABFAB require? I don't see that asking for a domain in and of
itself makes discovery happen without more infrastructure that's
presumably out of scope there.

>Section 5:
>
>SASL has an idea of mutual authentication.
>It seems like the same checks that apply to GSS-API should apply to SASL
>mutual auth too.

I didn't think SASL had an actual indicator of mutual-auth, but if it
does, it seems like the same text is probably needed there. Otherwise I'm
not sure how to work in the text. In contrast to many of the recent
discussions, I'm very SASL illiterate and much more GSS "aware" I guess,
if not expert.

>The checks in section 5 seem inadequate.  In particular, it seems like
>it should matter what identity is used to digitally sign the request,
>and  the validity of the signature should matter.

Yes, I was leaving trust out of this, but something could be said if it's
helpful.

[snip of TLS text]
>This text places normative requirements on applications using this
>mechanism.
>That's not reasonable because applications may have no knowledge of this
>mechanism.
>What happens if these checks are not performed?

That text came from some iteration of the original wording borrowed from
the SAML/OpenID mechanisms, and was basically adapted. Isn't that same
text, or a variant, essentially what Simon is adding to GS2?

All this is saying is that if the mechanism doesn't signal mutual
authentication to the initiator, then obviously it's up to the
application. What else can you do?

>Section 5.1 seems applicable to SASL as well.

Similar question as above; is there normative machinery that can be used
in SASL to regulate and signal it? I didn't think so.

>It doesn't sound like section 5.1 provides enough guidance to provide
>interoperability between multiple implementations of delegation to me.

I could make a crack about OAuth interop here (I'll leave WS-Trust out of
it, but OAuth is IETF's responsibility), but let me just say that it's
sufficient to implement *a* SAML profile of delegation, and that's
intended to be an extenstion point in the draft that doesn't preclude
delegation while leaving the gory details out. If I were to formally
specify this, it wouldn't be here because it doesn't impact the GSS work,
it's purely a SAML spec.

>Section 5.3 is inconsistent with the claim in the introduction that no
>integrity and confidentiality layer is provided.

Will fix, the intro predates all that work being added.

>Section 5.3.  I note that this is the first time I'm aware of where
>RFC 3961 enctypes' names are used in a protocol.  I'd like explicit
>review of this from the Kerberos community.  Everything we have so far
>uses numbers.

Ok, will await decision. I don't care for numbers in a text-based
protocol, but if the strings aren't formalized, that's appropriate. I
think I did look at the registry though and came to the conclusion they
were.

>Section 5.3.1:
>
>I think encryption needs to be a MUST here.
>Even if CB is used there's no confidence that the channel provides
>confidentiality.
>Consider for example a TLS cipher without confidentiality, an IPsec
>channel for ESP-null, etc.

That's true. I can make it a MUST.

>Section 5.4: RFc 4121 has multiple keys it can use: the session key, the
>subsession key, and the acceptor subsession key.
>The text in 5.4 is insufficiently detailed for interoperability.

I'd need feedback on that, I don't have the background (and it was more or
less copied, again, from some other work).

>Section 5.6.2:
>
>1) I am not sure that the guidance here is sufficient for
>interoperability and security.

Possibly not security, but I'm not sure why it's not interoperable. In
particular, I didn't go and require any kind of remapping of service names
into URLs; that would definitely not be.

As far as what it *does* for security, it binds the eventual key(s) used
by the acceptor to specific service identities that the IdP can authorize
a signed request on, and allows many such services to be associated with
one entityID (but also allows each service to have its own, as desired).

That's not perfect (the MITM thing) but it is not nothing given that a
client is at least nominally connecting with specific protocols that may
well be expressed as part of the service name (e.g. you at least couldn't
spoof an SSH server with an HTTP/host identity) since presumably the
service name is something the client isn't totally oblivious to.

>2) This section appears to place normative requirements on the IDP even
>though   the specification claims not to place normative requirements on
>the IDP.

No new requirements. This is standard comparison logic all IdPs do for ECP
and Web SSO.

>3) This section seems to apply to SASL.

Yeah, that one does.

-- Scott

v2.23.0 | Report a Bug | By Email