IETF Logo Mail Archive

Re: review of draft-wierenga-ietf-sasl-saml-00

Sam Hartman <hartmans-ietf@mit.edu> Wed, 26 May 2010 18:27 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 772083A69B9 for <kitten@core3.amsl.com>; Wed, 26 May 2010 11:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.965
X-Spam-Level:
X-Spam-Status: No, score=-0.965 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1QnBDLRX-CD for <kitten@core3.amsl.com>; Wed, 26 May 2010 11:27:11 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id B34D63A68AA for <kitten@ietf.org>; Wed, 26 May 2010 11:27:11 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 71511201F6; Wed, 26 May 2010 14:26:58 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id F21EF43EF; Wed, 26 May 2010 14:26:30 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Scott Cantor <cantor.2@osu.edu>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
References: <tslzkzn67n5.fsf@mit.edu> <077001cafc4b$603f0510$20bd0f30$@osu.edu> <4BFD2ECE.5020600@cisco.com> <07e801cafce5$4cf7f7b0$e6e7e710$@osu.edu>
Date: Wed, 26 May 2010 14:26:30 -0400
In-Reply-To: <07e801cafce5$4cf7f7b0$e6e7e710$@osu.edu> (Scott Cantor's message of "Wed, 26 May 2010 11:08:29 -0400")
Message-ID: <tslvdaa4izt.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: kitten@ietf.org, moonshot-community@jiscmail.ac.uk, 'Sam Hartman' <hartmans-ietf@mit.edu>, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 18:27:12 -0000

>>>>> "Scott" == Scott Cantor <cantor.2@osu.edu> writes:

    >> I am assuming you refer to the ECP profile. How different would
    >> this be from the SASL point of view? I.e. what difference would
    >> it make on the "SASL wire"?

    Scott> It suffers the same MITM issues that Sam mentioned, since
    Scott> that's what happens if you punt that to TLS without any
    Scott> channel bindings. I'm not in a position to address that
    Scott> without help, I just believe there's a better non-web flow
    Scott> here. It also creates a much more flexible field for phishing
    Scott> to be addressed, since the client/IdP exchange is not a
    Scott> browser and a web site.

Scott, I'm happy to work with you to figure out if channel binding
support is possible in your approach.

v2.23.0 | Report a Bug | By Email