RE: [TLS] Review of draft-housley-tls-authz-extns-05
<Pasi.Eronen@nokia.com> Sat, 03 June 2006 16:18 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmYpp-0000Vd-Rk; Sat, 03 Jun 2006 12:18:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmYpo-0000VV-Nh for tls@ietf.org; Sat, 03 Jun 2006 12:18:44 -0400
Received: from mgw-ext13.nokia.com ([131.228.20.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FmYpn-0001lC-8S for tls@ietf.org; Sat, 03 Jun 2006 12:18:44 -0400
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext13.nokia.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k53GIZ5k014541; Sat, 3 Jun 2006 19:18:41 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 3 Jun 2006 19:18:40 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 3 Jun 2006 19:18:40 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Review of draft-housley-tls-authz-extns-05
Date: Sat, 03 Jun 2006 19:18:40 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2402BBFCC6@esebe105.NOE.Nokia.com>
In-Reply-To: <7.0.0.16.2.20060531173828.07a36e28@vigilsec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Review of draft-housley-tls-authz-extns-05
Thread-Index: AcaE/epmezPHxon2Q4OfOpB8xYlb+ACK2/aw
From: Pasi.Eronen@nokia.com
To: housley@vigilsec.com
X-OriginalArrivalTime: 03 Jun 2006 16:18:40.0345 (UTC) FILETIME=[602A9490:01C68729]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: hartmans-ietf@mit.edu, mark@redphonesecurity.com, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Russ Housley wrote: > >The part about X.509 attribute certificates looks fine, but > >at least the SAML part still needs some work: > > > >1) I think the document needs to discuss the security considerations > > of bearer SAML assertions in more detail. While the > > countermeasures described in 3.3.2 may help against passive > > eavesdroppers, they still allow an active MiTM to "steal" the > > permission. This is IMHO a significant difference to typical > > SAML usage with HTTP-over-TLS, where the server is > > authenticated before the bearer assertion is sent. > > Does this proposed text solve your concern? > > The use of bearer SAML assertions allows an eavesdropper or a > man-in-the-middle to capture the SAML assertion and try to reuse > it in another context. The constraints discussed in Section > 3.3.2 might be effective against an eavesdropper, but they are > less likely to be effective against a man-in-the-middle. > Authentication of both parties in the TLS session, which > involves the use of client authentication, will prevent an > undetected man-in the-middle, and the use of the double > handshake illustrated in Figure 2 will prevent the disclosure of > the bearer SAML assertion to any party other than the TLS peer. Yes, this is significantly better. > >2) Section 3.3.2: "When SAMLAssertion is used, the field contains > > XML constructs with a nested structure defined in > > [SAML1.1][SAML2.0]." This needs to be much more specific than > > "some XML from these documents". What element/elements? Is this > > an XML document (with XML declaration etc.), or just a > > "fragment"? Which encoding? And so on... > > Does this proposed text solve your concern? > > When SAMLAssertion is used, the field contains an XML-encoded > <Assertion> element using the AssertionType complex type as > defined in [SAML1.1][SAML2.0]. We also need to specify the character-to-octet encoding (UTF-8 would be the most logical alternative). Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] Review of draft-housley-tls-authz-extns… Pasi.Eronen
- [TLS] Review of draft-housley-tls-authz-extns-05 Pasi.Eronen
- Re: [TLS] Review of draft-housley-tls-authz-extns… Russ Housley
- Re: [TLS] Review of draft-housley-tls-authz-extns… Sam Hartman
- RE: [TLS] Review of draft-housley-tls-authz-extns… Russ Housley
- Re: [TLS] Review of draft-housley-tls-authz-extns… Sam Hartman
- Re: [TLS] Review of draft-housley-tls-authz-extns… Russ Housley
- RE: [TLS] Review of draft-housley-tls-authz-extns… Pasi.Eronen
- RE: [TLS] Review of draft-housley-tls-authz-extns… Hollenbeck, Scott
- RE: [TLS] Review of draft-housley-tls-authz-extns… Pasi.Eronen