Re: [kitten] sasl saml and sasl openID
Martin Rex <mrex@sap.com> Tue, 16 November 2010 01:41 UTC
Return-Path: <mrex@sap.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B6AA3A6D71 for <kitten@core3.amsl.com>; Mon, 15 Nov 2010 17:41:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.09
X-Spam-Level:
X-Spam-Status: No, score=-10.09 tagged_above=-999 required=5 tests=[AWL=0.159, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K94S3Uf0BIcm for <kitten@core3.amsl.com>; Mon, 15 Nov 2010 17:41:31 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 9EB383A6A0B for <kitten@ietf.org>; Mon, 15 Nov 2010 17:41:30 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id oAG1gB7s027430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 16 Nov 2010 02:42:11 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011160142.oAG1g9qZ000673@fs4113.wdf.sap.corp>
To: Nicolas.Williams@oracle.com
Date: Tue, 16 Nov 2010 02:42:09 +0100
In-Reply-To: <20101115232820.GW6536@oracle.com> from "Nicolas Williams" at Nov 15, 10 05:28:21 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal04
X-SAP: out
Cc: kitten@ietf.org, simon@josefsson.org, hartmans-ietf@mit.edu
Subject: Re: [kitten] sasl saml and sasl openID
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2010 01:41:45 -0000
Nicolas Williams wrote: > > On Mon, Nov 15, 2010 at 06:26:39PM -0500, Sam Hartman wrote: > > > > OK, then I'd probably vote against supporting CB for SAML20. > > My concern is that if we do, it will discourage apps from using CB > > because it will significantly decrease their interoperability. > > What apps are we talking about? Remember, SASL/GS2 does make CB > negotiable, while straight GSS-API makes it non-negotiable. As I tried to explain here: http://www.ietf.org/mail-archive/web/kitten/current/msg02121.html it is definitely possible for GSS-API to use optional channel bindings, i.e. negotiate the use of channel bindings. You might, however, create a security problem for you protocol if you outsource the protection of your network communication to some other protocol instead of using GSS-API message protection primitives. And one means to prevent the total disconnect of authentication from the protection of the network communication is a concept called "channel binding". The GSS-API channel bindings facility is a very specific subset of the "channel binding" concept. In the original GSS-API design, there did not exist the idea of gss-api mechanism that are authentication only or worse, out-sourcing of message protection facilities to some other protocol. Although I just noticed in the San Diego IETF meeting minutes March 1992 of the CAT working group the question: Discussion: . GSS-API: for authentication only ? but I also remember a presentation from Sanra Murphy (TIS) in the CAT WG session on IETF 33 (July 1995 in Stockholm) and a very notica suprize by many CAT fanciers about the very first GSS-API mechanism that does not support message protection at all ... and a few resulting clarifications to the GSS-API v2 I-Ds. http://tools.ietf.org/html/draft-ietf-cat-fipsjjjgss-00 And as it's primary purpose of this PKI-based mechanism was unidirectional authentication of the initiator to the target, that initial proposal is completely silent about naming, in particular possible or anticipated values for the target_name parameter of gss_init_sec_context(). But similar to SPKM and DEC DASS, the concept of X.509 identities back then was nothing like hostbased service names. As I've previously mentioned, during the last 14 years we have been offering interoperability certification for third-party single sign-on solutions provided as plug-n-play shared libraries based on GSS-API v2. I've seen ~20 different SSO-solutions, 5 of them were implementations of Kerberos 5, two were completely proprietary and the rest based on X.509/PKI. Only the Kerberos implementations recognized the hostbased service name nametype, all other implementations rejected it upfront with "GSS_S_BAD_NAMETYPE". And when you're doing distributed apps, then being able to identify apps completely independent of hostnames facilitates a lot of things. There could be easily be running 5 or 6 apps independently using the same protocol on a single host (HumanResource,Financials,ProcessIntegration, MaterialsManagement,SupplyChainManagement, plus seperate apps development, integration and test systems of each) and alternative instances of the same app on 10 more hosts for distributing load, background and batch processing. Most X.509 based authentication schemes use 3-way or 4-way authentication exchanges (signed challenge/response), so that all distributed instances of a single application can share the PKI credential and it is irrelevant for the user to which particular host and which particular port it connects as long as the user knows what system it wants to talk to, e.g. "Human Resources", and neither the "Human Resources (Test)", "Customer Support" nor "Financial (apps development)" system. Also the ACLs that all AppServers of a single system use to talk among each other are pretty short with only one single entry. If you are using Kerberos, things get difficult and complicated, because every seperate instance has to be managed individually and every move of an application instance to a different host requires updates to all ACLs. And you still need to devise some scheme to distinguish several different entities of apps that are based on the same protocol on a single host. When you adapt the IETF robustness principle to application design for GSS-API then it works like this: "be liberal in characteristics and implementation choices that gssapi mechanims may exhibit, be conservative in the GSS-API features that you require for interoperability." and host-based service names are nowhere close. -Martin
- [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga (kwiereng)
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Scott Cantor
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Scott Cantor
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Jeffrey Hutzelman
- Re: [kitten] sasl saml and sasl openID Jeffrey Hutzelman
- Re: [kitten] sasl saml and sasl openID Henry B. Hotz
- Re: [kitten] sasl saml and sasl openID Cantor, Scott E.