[TLS] Re: The "other means" of controlling sessionids, master_secrets

<home_pw@msn.com> Mon, 15 January 2007 06:52 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6LhX-0000MC-6f; Mon, 15 Jan 2007 01:52:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6LhV-0000M2-RY for tls@ietf.org; Mon, 15 Jan 2007 01:52:13 -0500
Received: from bay0-omc3-s37.bay0.hotmail.com ([65.54.246.237]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6LhT-0005vx-Fn for tls@ietf.org; Mon, 15 Jan 2007 01:52:13 -0500
Received: from hotmail.com ([65.55.131.17]) by bay0-omc3-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sun, 14 Jan 2007 22:52:10 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 14 Jan 2007 22:52:10 -0800
Message-ID: <BAY126-DAV7220CBCC82144DEA2E87A92B50@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV7.phx.gbl with DAV; Mon, 15 Jan 2007 06:52:08 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
Date: Sun, 14 Jan 2007 22:52:05 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 15 Jan 2007 06:52:10.0637 (UTC) FILETIME=[AE143BD0:01C73871]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc:
Subject: [TLS] Re: The "other means" of controlling sessionids, master_secrets
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

The following describes where I'm going one thought train, 
on this topic. In what follows, I may or may not be making a 
conforming usage of the ticket standard. This interpretation 
is a useful test of the spec, as from my reading I believe 
what I'm doing is (a) correct (b) intended. If folks think 
it's not, the RFC needs some work. Whilst I'm definitely not 
exploiting the ticketing mechanism for its stated raison 
d'etre, I do believe I'm 100% conforming in what follows:-

Assume the "other means" noted in the standard is: a SAML2 
protocol flow. The client http browser cooperates with an 
IDP saml-endpoint (at his/her favorite portal (google.com, 
live.com, enterprise.com, society.org ...)), and the target 
website in the server farm cooperates with an SP 
saml-endpoint (a service appliance adjacent to the load 
balancer). Lets assume the saml-endpoints on IDP and SP 
participate in federated identity sharing, and use XML 
Encryption to share attributes (including a master_secret) 
defined in an attribute contract. Also assume that, 
incidentally, the XML DigSigs used in SAML flow achieve 
webSSO, per the SAML POST profile and metadata (certs, trust 
anchors etc) are all set up via the controlling trust model.

Now, lets assume that upon finally being redirected to the 
the app server using an https URL (where said server is deep 
in data center's access layer), said site now cooperates 
"locally" with the "ticket-enabled" SSL-offloading load 
balancer in the aggregation layer of its data center. 
Cooperation includes at least...delegating control of the 
master_secret retrieved from the SAML messages to the load 
balancer, so it can wrap it, and share it henceforth - using 
the ticket regime.

Another cooperation could reverse the relationship between 
load balancer and app server, in which certain state 
information from the SSL session could be relayed to the app 
server (as an inserted HTTP header, for example). Using the 
SAML2 Attribute Query now, this state information could be 
communicated to the IDP site in a custom query type (using 
signed XML messages). In this way, the SP and IDP endpoints 
could both share certain information from the SSL stream 
that their SAML trust model calls for mutual rights to 
audit.

I think I can do all this today, just exploiting the 
architecture of TLS1.0 and tickets. 


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls