IETF Logo Mail Archive

Re: review of draft-wierenga-ietf-sasl-saml-00

Klaas Wierenga <klaas@cisco.com> Wed, 26 May 2010 15:42 UTC

Return-Path: <klaas@cisco.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A45963A659A for <kitten@core3.amsl.com>; Wed, 26 May 2010 08:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.43
X-Spam-Level:
X-Spam-Status: No, score=-4.43 tagged_above=-999 required=5 tests=[AWL=-1.831, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id on-iNjGLyyIg for <kitten@core3.amsl.com>; Wed, 26 May 2010 08:42:13 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by core3.amsl.com (Postfix) with ESMTP id 3C4093A66B4 for <kitten@ietf.org>; Wed, 26 May 2010 08:42:13 -0700 (PDT)
Authentication-Results: ams-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao0BAHXe/EuQ/uCWe2dsb2JhbACeHRUBARYiBhyoCZoAglqCOQSPUw
X-IronPort-AV: E=Sophos;i="4.53,304,1272844800"; d="scan'208";a="7835152"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-2.cisco.com with ESMTP; 26 May 2010 15:03:00 +0000
Received: from macmini.wierenga.net (ams-kwiereng-8711.cisco.com [10.55.220.242]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o4QFg3ps019581; Wed, 26 May 2010 15:42:03 GMT
Message-ID: <4BFD414A.7070002@cisco.com>
Date: Wed, 26 May 2010 17:42:02 +0200
From: Klaas Wierenga <klaas@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Scott Cantor <cantor.2@osu.edu>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
References: <tslzkzn67n5.fsf@mit.edu> <077001cafc4b$603f0510$20bd0f30$@osu.edu> <4BFD2ECE.5020600@cisco.com> <07e801cafce5$4cf7f7b0$e6e7e710$@osu.edu>
In-Reply-To: <07e801cafce5$4cf7f7b0$e6e7e710$@osu.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, 'Sam Hartman' <hartmans-ietf@mit.edu>, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 15:42:14 -0000

On 5/26/10 5:08 PM, Scott Cantor wrote:
>> I am assuming you refer to the ECP profile. How different would this be
>> from the SASL point of view? I.e. what difference would it make on the
>> "SASL wire"?
>
> Significantly different from yours, since there's no empty response and no
> callback communication between the SP and the IdP, but I believe it can be
> compatible with SAML ECP on the IdP side, and is essentially a direct
> mapping from using HTTP as a "container" for the SP/client SOAP envelopes to
> using the SASL messages.

right, but that than comes at the expense of more complex SASL 
interaction, i.e. you are going to send the AuthenticationStatement as a 
response to the AuthentionRequest challenge over SASL, right?

>
> It suffers the same MITM issues that Sam mentioned, since that's what
> happens if you punt that to TLS without any channel bindings. I'm not in a
> position to address that without help, I just believe there's a better
> non-web flow here. It also creates a much more flexible field for phishing
> to be addressed, since the client/IdP exchange is not a browser and a web
> site.
>
> The only issue to address in translating the profile over to SASL is the
> fact that in a non-web case there's no real "responseURL" involved, which is
> something that's baked into the standard ECP profile, but I think it can be
> "emulated" with no particular effort in the interest of compatibility, or
> removed at the cost of same.
>
>> There is no compelling argument other than that this is the way it is
>> done in most identity federations today and I wanted to stay as close as
>> possible to today's implementations and not fall into the trap of trying
>> to introduce something new and at the same time try to fix all other
>> problems in the world.
>
> This makes sense if you're remaining compatible with something people *want*
> to deal with, but IdP discovery is the last thing anybody operating an SP
> *wants* to deal with. It's a gigantic usability problem, and arguably the
> biggest reason why federation has scaling issues.

ok, fair point

>
> Anyway, it's on me to produce the draft, which I've started on (using yours
> as a starting point, which I hope is ok).

obviously! Looking forward to the draft.

Klaas

v2.23.0 | Report a Bug | By Email