RE: [TLS] Review of draft-housley-tls-authz-extns-05

<Pasi.Eronen@nokia.com> Sat, 03 June 2006 16:18 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmYpp-0000Vd-Rk; Sat, 03 Jun 2006 12:18:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FmYpo-0000VV-Nh for tls@ietf.org; Sat, 03 Jun 2006 12:18:44 -0400
Received: from mgw-ext13.nokia.com ([131.228.20.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FmYpn-0001lC-8S for tls@ietf.org; Sat, 03 Jun 2006 12:18:44 -0400
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext13.nokia.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k53GIZ5k014541; Sat, 3 Jun 2006 19:18:41 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 3 Jun 2006 19:18:40 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 3 Jun 2006 19:18:40 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Review of draft-housley-tls-authz-extns-05
Date: Sat, 3 Jun 2006 19:18:40 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2402BBFCC6@esebe105.NOE.Nokia.com>
In-Reply-To: <7.0.0.16.2.20060531173828.07a36e28@vigilsec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Review of draft-housley-tls-authz-extns-05
Thread-Index: AcaE/epmezPHxon2Q4OfOpB8xYlb+ACK2/aw
From: <Pasi.Eronen@nokia.com>
To: <housley@vigilsec.com>
X-OriginalArrivalTime: 03 Jun 2006 16:18:40.0345 (UTC) FILETIME=[602A9490:01C68729]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: hartmans-ietf@mit.edu, mark@redphonesecurity.com, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Russ Housley wrote:

> >The part about X.509 attribute certificates looks fine, but
> >at least the SAML part still needs some work:
> >
> >1) I think the document needs to discuss the security considerations
> >    of bearer SAML assertions in more detail. While the
> >    countermeasures described in 3.3.2 may help against passive
> >    eavesdroppers, they still allow an active MiTM to "steal" the
> >    permission.  This is IMHO a significant difference to typical
> >    SAML usage with HTTP-over-TLS, where the server is
> >    authenticated before the bearer assertion is sent.
> 
> Does this proposed text solve your concern?
> 
>     The use of bearer SAML assertions allows an eavesdropper or a
>     man-in-the-middle to capture the SAML assertion and try to reuse
>     it in another context.  The constraints discussed in Section
>     3.3.2 might be effective against an eavesdropper, but they are
>     less likely to be effective against a man-in-the-middle.
>     Authentication of both parties in the TLS session, which
>     involves the use of client authentication, will prevent an
>     undetected man-in the-middle, and the use of the double
>     handshake illustrated in Figure 2 will prevent the disclosure of
>     the bearer SAML assertion to any party other than the TLS peer.

Yes, this is significantly better.

> >2) Section 3.3.2: "When SAMLAssertion is used, the field contains 
> >   XML constructs with a nested structure defined in
> >   [SAML1.1][SAML2.0]."  This needs to be much more specific than
> >   "some XML from these documents". What element/elements? Is this
> >   an XML document (with XML declaration etc.), or just a
> >   "fragment"? Which encoding?  And so on...
> 
> Does this proposed text solve your concern?
> 
>     When SAMLAssertion is used, the field contains an XML-encoded
>     <Assertion> element using the AssertionType complex type as
>     defined in [SAML1.1][SAML2.0].

We also need to specify the character-to-octet encoding (UTF-8 would
be the most logical alternative).

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls