IETF Logo Mail Archive

Re: review of draft-wierenga-ietf-sasl-saml-00

Simon Josefsson <simon@josefsson.org> Fri, 28 May 2010 06:34 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5BC23A67AD for <kitten@core3.amsl.com>; Thu, 27 May 2010 23:34:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1QVIw01e6yM for <kitten@core3.amsl.com>; Thu, 27 May 2010 23:34:47 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id AE0C93A6A1E for <kitten@ietf.org>; Thu, 27 May 2010 23:19:47 -0700 (PDT)
Received: from mocca (c80-216-25-148.bredband.comhem.se [80.216.25.148]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o4S6JFCu000391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 28 May 2010 08:19:18 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Klaas Wierenga <klaas@cisco.com>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
References: <tslzkzn67n5.fsf@mit.edu> <077001cafc4b$603f0510$20bd0f30$@osu.edu> <4BFD2ECE.5020600@cisco.com> <07e801cafce5$4cf7f7b0$e6e7e710$@osu.edu> <tslvdaa4izt.fsf@mit.edu> <082501cafd03$0fe0f250$2fa2d6f0$@osu.edu> <87fx1eo2o5.fsf@mocca.josefsson.org> <4BFE8F63.5080802@cisco.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100528:moonshot-community@jiscmail.ac.uk::W2s6GeWnB1HtutjY:3aSC
X-Hashcash: 1:22:100528:klaas@cisco.com::FJTIIyo+M08vctY7:FRwk
X-Hashcash: 1:22:100528:kitten@ietf.org::LtLE/kafvkmE+wOO:JhyD
X-Hashcash: 1:22:100528:hartmans-ietf@mit.edu::EI4k0a+5E5k5tvro:IZ5w
X-Hashcash: 1:22:100528:draft-wierenga-ietf-sasl-saml@tools.ietf.org::M8kk1iXUrCH3LTMd:m2cx
Date: Fri, 28 May 2010 08:19:16 +0200
In-Reply-To: <4BFE8F63.5080802@cisco.com> (Klaas Wierenga's message of "Thu, 27 May 2010 17:27:31 +0200")
Message-ID: <87pr0ga6qj.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.96 at yxa-v
X-Virus-Status: Clean
Cc: kitten@ietf.org, 'Sam Hartman' <hartmans-ietf@mit.edu>, moonshot-community@jiscmail.ac.uk, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 06:34:48 -0000

Klaas Wierenga <klaas@cisco.com> writes:

> On 5/26/10 9:58 PM, Simon Josefsson wrote:
>
> Hi Simon,
>
>> "Scott Cantor"<cantor.2@osu.edu>  writes:
>>
>>>> Scott, I'm happy to work with you to figure out if channel binding
>>>> support is possible in your approach.
>>>
>>> I plan to take you up on it. To ease the process of comparing the
>>> approaches, I think it's easiest to produce a simple draft initially, which
>>> highlights some of the issues you mentioned, but leaves things as is for the
>>> same compatibility reasons that Klaas had. The result may be a merging of
>>> the proposals, or not.
>>>
>>> Related to this, for example, I'm in favor of supporting a way to tie the
>>> SAML assertion in the response to a key at the TLS layer (holder of key via
>>> client TLS, in other words). That's an addition to the SAML profile I'm
>>> basing this work on, which is why I'm not starting there, to simplify the
>>> compatibility story. I probably will go back to OASIS to get a HoK version
>>> of the ECP profile created, and then I can just reference it.
>>
>> I would prefer if channel bindings is done in a GS2 compatible way, to
>> allow a SAML SASL mechanism to be usable as a GSS-API mechanism as well.
>> By using the GS2 prefix, you also get support for authorization
>> identities.
>>
>> If authors are interested here, I could help with the GS2 prefix part so
>> that it causes minimal confusion for non-GSS-API people and still allows
>> that variant.  I made this suggestion for the OpenID SASL mechanism as
>> well.
>
> Thanks for the kind offer! My concern is that one of the design goals
> I started out with was not having to touch the existing IdP's. I lack
> here knowledge (have to read up on GSS-API), but would that be
> possible?

I am not certain.  The important part is traditionally to make the
client and server agree on the channel binding, and refuse connections
when they don't match.  I don't see any value in having the IdP also
necessarily have to be involved in this negotiation.

The transfer of the channel binding needs to be integrity protected, and
it needs to be tied with the authentication.  Thus, a simple way to
achieve this would be for the client to include it in a attribute that
it signs and sends to the server.  I don't think the IdP would need to
do anything with a field like that, but it needs to be preserved and
presented to the server.  I'm not enough of a SAML expert to tell
whether this is easy to achieve or not?  I do operate a SAML server for
a company, and when we did the integration with some RPs, there were
many places were you could put extension fields, so I strongly suspect
the answer is "yes" but it needs to be confirmed.

/Simon

v2.23.0 | Report a Bug | By Email