[TLS] Re: The "other means" of controlling sessionids, master_secrets
<home_pw@msn.com> Mon, 15 January 2007 06:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6LhX-0000MC-6f; Mon, 15 Jan 2007 01:52:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6LhV-0000M2-RY for tls@ietf.org; Mon, 15 Jan 2007 01:52:13 -0500
Received: from bay0-omc3-s37.bay0.hotmail.com ([65.54.246.237]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6LhT-0005vx-Fn for tls@ietf.org; Mon, 15 Jan 2007 01:52:13 -0500
Received: from hotmail.com ([65.55.131.17]) by bay0-omc3-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sun, 14 Jan 2007 22:52:10 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 14 Jan 2007 22:52:10 -0800
Message-ID: <BAY126-DAV7220CBCC82144DEA2E87A92B50@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV7.phx.gbl with DAV; Mon, 15 Jan 2007 06:52:08 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
Date: Sun, 14 Jan 2007 22:52:05 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 15 Jan 2007 06:52:10.0637 (UTC) FILETIME=[AE143BD0:01C73871]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc:
Subject: [TLS] Re: The "other means" of controlling sessionids, master_secrets
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
The following describes where I'm going one thought train, on this topic. In what follows, I may or may not be making a conforming usage of the ticket standard. This interpretation is a useful test of the spec, as from my reading I believe what I'm doing is (a) correct (b) intended. If folks think it's not, the RFC needs some work. Whilst I'm definitely not exploiting the ticketing mechanism for its stated raison d'etre, I do believe I'm 100% conforming in what follows:- Assume the "other means" noted in the standard is: a SAML2 protocol flow. The client http browser cooperates with an IDP saml-endpoint (at his/her favorite portal (google.com, live.com, enterprise.com, society.org ...)), and the target website in the server farm cooperates with an SP saml-endpoint (a service appliance adjacent to the load balancer). Lets assume the saml-endpoints on IDP and SP participate in federated identity sharing, and use XML Encryption to share attributes (including a master_secret) defined in an attribute contract. Also assume that, incidentally, the XML DigSigs used in SAML flow achieve webSSO, per the SAML POST profile and metadata (certs, trust anchors etc) are all set up via the controlling trust model. Now, lets assume that upon finally being redirected to the the app server using an https URL (where said server is deep in data center's access layer), said site now cooperates "locally" with the "ticket-enabled" SSL-offloading load balancer in the aggregation layer of its data center. Cooperation includes at least...delegating control of the master_secret retrieved from the SAML messages to the load balancer, so it can wrap it, and share it henceforth - using the ticket regime. Another cooperation could reverse the relationship between load balancer and app server, in which certain state information from the SSL session could be relayed to the app server (as an inserted HTTP header, for example). Using the SAML2 Attribute Query now, this state information could be communicated to the IDP site in a custom query type (using signed XML messages). In this way, the SP and IDP endpoints could both share certain information from the SSL stream that their SAML trust model calls for mutual rights to audit. I think I can do all this today, just exploiting the architecture of TLS1.0 and tickets. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls