IETF Logo Mail Archive

Re: review of draft-wierenga-ietf-sasl-saml-00

Klaas Wierenga <klaas@cisco.com> Wed, 26 May 2010 14:23 UTC

Return-Path: <klaas@cisco.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E70D3A6956 for <kitten@core3.amsl.com>; Wed, 26 May 2010 07:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.092
X-Spam-Level:
X-Spam-Status: No, score=-4.092 tagged_above=-999 required=5 tests=[AWL=4.093, BAYES_40=-0.185, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSXI66HJF3fm for <kitten@core3.amsl.com>; Wed, 26 May 2010 07:23:20 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 5D9063A6930 for <kitten@ietf.org>; Wed, 26 May 2010 07:23:20 -0700 (PDT)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao0BADTL/EuQ/uCWe2dsb2JhbACeIBUBARYiBhynLpl/glqCOQSPUw
X-IronPort-AV: E=Sophos;i="4.53,304,1272844800"; d="scan'208";a="61825940"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 26 May 2010 14:23:10 +0000
Received: from macmini.wierenga.net (ams-kwiereng-8711.cisco.com [10.55.220.242]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o4QENAMj024607; Wed, 26 May 2010 14:23:10 GMT
Message-ID: <4BFD2ECE.5020600@cisco.com>
Date: Wed, 26 May 2010 16:23:10 +0200
From: Klaas Wierenga <klaas@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Scott Cantor <cantor.2@osu.edu>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
References: <tslzkzn67n5.fsf@mit.edu> <077001cafc4b$603f0510$20bd0f30$@osu.edu>
In-Reply-To: <077001cafc4b$603f0510$20bd0f30$@osu.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 26 May 2010 07:40:31 -0700
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, 'Sam Hartman' <hartmans-ietf@mit.edu>, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 14:23:35 -0000

On 5/25/10 10:46 PM, Scott Cantor wrote:

Scott,

>> A mechanism similar to this could provide significantly better security
>> guarantees if the client knew its own IDP URI.
> ...
>> I think that if these two additions can be fleshed out and if there are
>> significant use cases where clients could know their IDP, then the
>> mechanism should be modified to support these use cases.
>
> That is in essence the reason I am still planning to propose an alternative
> design that makes direct use of the SAML profile that was designed for this
> basic scenario of a client that's been modified. It does not impose
> significant technical barriers to clients (they don't have to know much
> about SAML or create XML Signatures or any of the other common complaints).

I am assuming you refer to the ECP profile. How different would this be 
from the SASL point of view? I.e. what difference would it make on the 
"SASL wire"?

>
> I believe the cost of deploying a client is such that it's absolutely
> essential to use that change to move discovery to it.
>
> I was hoping to have an I-D submitted by now, but I haven't found the time.
> Hopefully fairly soon.
>
>> However, as I mentioned, I don't know how to do better than the current
>> mechanism given the common requirement that the server provide an IDP
>> discovery URI.  I do understand that requirement is important.
>
> I haven't seen a compelling argument for why it's important. It's actually
> been a problem for federation since its inception, and when you can avoid
> it, you really have to.

There is no compelling argument other than that this is the way it is 
done in most identity federations today and I wanted to stay as close as 
possible to today's implementations and not fall into the trap of trying 
to introduce something new and at the same time try to fix all other 
problems in the world.

> It's something you can work around in cases in which the application relies
> on identifiers that resemble email addresses and can be used to perform an
> implicit kind of discovery, but that's not a generalized case, and it still
> results in the additional security issues you mentioned.

Agreed.

Klaas

v2.23.0 | Report a Bug | By Email