Re: review of draft-wierenga-ietf-sasl-saml-00
Martin Rex <mrex@sap.com> Thu, 27 May 2010 18:00 UTC
Return-Path: <mrex@sap.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BCE03A6B89 for <kitten@core3.amsl.com>; Thu, 27 May 2010 11:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.574
X-Spam-Level:
X-Spam-Status: No, score=-7.574 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2NB0kmsQ-c6 for <kitten@core3.amsl.com>; Thu, 27 May 2010 11:00:53 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 87BF53A697B for <kitten@ietf.org>; Thu, 27 May 2010 11:00:53 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o4RI0Bcm022005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 27 May 2010 20:00:11 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201005271800.o4RI09Iu028320@fs4113.wdf.sap.corp>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
To: klaas@cisco.com
Date: Thu, 27 May 2010 20:00:09 +0200
In-Reply-To: <4BFE8D74.3090102@cisco.com> from "Klaas Wierenga" at May 27, 10 05:19:16 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, hartmans-ietf@mit.edu, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 18:00:54 -0000
Klaas Wierenga wrote: > > On 5/26/10 8:28 PM, Sam Hartman wrote: > > > > 1) The IDP MUST verify that channel binding data is asserted by the > > expected RP and has been modified by no other party > > > > 2) The client MUST verify that the channel binding data corresponds to > > the channel that is in use. > > > > Those two are enough that the user will learn through the web browser if > > the connection is under attack. However, the that's not enough to > > defend against a server that fakes successful authentication or to learn > > at the SASL protocol level about a channel binding failure. > > Just to understand, what does channel binding buy you if you still can > not prevent the MiTM? That is a misunderstanding. (Cryptographic) channel bindings reliably protects you from MitM attacks. But it can not protect you from an attacker that can successfully impersonate a "trusted" server, and neither from an inappropriately trusted "rogue" server. Successfully impersonating a "trusted" server does not necessarily require a full compromise of that server. Being able to pass those few superficial checks that the client performs in order to verify the authentication of a server is perfectly sufficient -- and is usually much easier than breaking into the real server in order to get hold of its credentials. Think of PKI, X.509 certs, server endpoint identification similar to HTTP over TLS (rfc2818) and the problem of lots of software dealing with embedded NUL chars in names, or the problem of huge amounts of interchangeably-trusted root CAs. -Martin
- review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Martin Rex
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson