Re: review of draft-wierenga-ietf-sasl-saml-00
Sam Hartman <hartmans-ietf@mit.edu> Wed, 26 May 2010 18:29 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8ABDA3A69B1 for <kitten@core3.amsl.com>; Wed, 26 May 2010 11:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[AWL=-0.433, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jY-FmFXPhh6F for <kitten@core3.amsl.com>; Wed, 26 May 2010 11:29:18 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 9FCE23A68AA for <kitten@ietf.org>; Wed, 26 May 2010 11:29:18 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id D2E88201CA; Wed, 26 May 2010 14:29:09 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 7822343EF; Wed, 26 May 2010 14:28:42 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Klaas Wierenga <klaas@cisco.com>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
References: <tslzkzn67n5.fsf@mit.edu> <077001cafc4b$603f0510$20bd0f30$@osu.edu> <4BFD2ECE.5020600@cisco.com>
Date: Wed, 26 May 2010 14:28:42 -0400
In-Reply-To: <4BFD2ECE.5020600@cisco.com> (Klaas Wierenga's message of "Wed, 26 May 2010 16:23:10 +0200")
Message-ID: <tslr5ky4iw5.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, 'Sam Hartman' <hartmans-ietf@MIT.EDU>, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 18:29:19 -0000
>>>>> "Klaas" == Klaas Wierenga <klaas@CISCO.COM> writes: Klaas> right, so the server would have a list of realm to idp-url Klaas> mappings? In order for the proposal I made to work, the following must be true: 1) The IDP MUST verify that channel binding data is asserted by the expected RP and has been modified by no other party 2) The client MUST verify that the channel binding data corresponds to the channel that is in use. Those two are enough that the user will learn through the web browser if the connection is under attack. However, the that's not enough to defend against a server that fakes successful authentication or to learn at the SASL protocol level about a channel binding failure. 3) The client inserts a cookie into the return URL 4) The server or agents under the control of the server not see this cookie before succesful authentication 5) The server returns the cookie to the client. I'm not actually sure 3 is possible: I'm not sure whether the return URL is covered by the signature. Assuming it's possible, 4 means that the client must be able to verify that the IDP URL it goes to is one that it trusts. So, ultimately, the server can pick however you like, but it MUST pick from a list of *URLs* that the client trusts. Anything like the server mapping an IDP hint to a URL destroys the security property. Note that it's possible to have multiple modes of operation with different security properties. That creates UI challenges, but that is potentially doable.
- review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Martin Rex
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson