RE: review of draft-wierenga-ietf-sasl-saml-00
"Scott Cantor" <cantor.2@osu.edu> Tue, 25 May 2010 20:54 UTC
Return-Path: <cantor.2@osu.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 336063A6BB1 for <kitten@core3.amsl.com>; Tue, 25 May 2010 13:54:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1
X-Spam-Level: *
X-Spam-Status: No, score=1 tagged_above=-999 required=5 tests=[BAYES_60=1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQKbQggiWr8a for <kitten@core3.amsl.com>; Tue, 25 May 2010 13:54:06 -0700 (PDT)
Received: from defang19.it.ohio-state.edu (defang19.it.ohio-state.edu [128.146.216.133]) by core3.amsl.com (Postfix) with ESMTP id 6CE473A6D4F for <kitten@ietf.org>; Tue, 25 May 2010 13:46:47 -0700 (PDT)
Received: from defang6.it.ohio-state.edu (defang6.it.ohio-state.edu [128.146.216.86]) by defang19.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id o4PKkcI2018996; Tue, 25 May 2010 16:46:38 -0400
Received: from SNOWDOG (SNOWDOG.dyn.cio.osu.edu [164.107.161.86]) by defang6.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id o4PKkbnB018810; Tue, 25 May 2010 16:46:38 -0400
From: Scott Cantor <cantor.2@osu.edu>
To: 'Sam Hartman' <hartmans-ietf@mit.edu>, kitten@ietf.org
References: <tslzkzn67n5.fsf@mit.edu>
In-Reply-To: <tslzkzn67n5.fsf@mit.edu>
Subject: RE: review of draft-wierenga-ietf-sasl-saml-00
Date: Tue, 25 May 2010 16:46:39 -0400
Organization: The Ohio State University
Message-ID: <077001cafc4b$603f0510$20bd0f30$@osu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLRbl7pt5nj/GkkimyEmmW8RXcC05BVuIAA
Content-Language: en-us
X-CanIt-Geo: ip=128.146.216.86; country=US; region=OH; city=Columbus; latitude=39.9968; longitude=-82.9882; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9968,-82.9882&z=6
X-CanItPRO-Stream: outbound
X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.133
Cc: moonshot-community@jiscmail.ac.uk, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2010 20:54:07 -0000
> A mechanism similar to this could provide significantly better security > guarantees if the client knew its own IDP URI. ... > I think that if these two additions can be fleshed out and if there are > significant use cases where clients could know their IDP, then the > mechanism should be modified to support these use cases. That is in essence the reason I am still planning to propose an alternative design that makes direct use of the SAML profile that was designed for this basic scenario of a client that's been modified. It does not impose significant technical barriers to clients (they don't have to know much about SAML or create XML Signatures or any of the other common complaints). I believe the cost of deploying a client is such that it's absolutely essential to use that change to move discovery to it. I was hoping to have an I-D submitted by now, but I haven't found the time. Hopefully fairly soon. > However, as I mentioned, I don't know how to do better than the current > mechanism given the common requirement that the server provide an IDP > discovery URI. I do understand that requirement is important. I haven't seen a compelling argument for why it's important. It's actually been a problem for federation since its inception, and when you can avoid it, you really have to. It's something you can work around in cases in which the application relies on identifiers that resemble email addresses and can be used to perform an implicit kind of discovery, but that's not a generalized case, and it still results in the additional security issues you mentioned. -- Scott
- review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Martin Rex
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson