RE: Contradictory requirements?

["Mishra, Prateek" <pmishra@netegrity.com>]

Tim,
 
an attempt has been made to address some of the issues in the bindings
document.
 
Briefly, support for intermediaries is a property of a specific profile or
protocol binding.
The web browser profile, for example, does not permit any intermediaries:
users MUST transit directly from an AP to a RP and the token semantics are
specific to (AP, RP) pairs.
 
Those profiles/bindings that permit the use of (untrusted) intermediaries
must explain
how the assertions are protected against misuse through tampering or
impersonation. In some cases, confidentiality may also be required and this
generates another level of
requirement on the profile/binding. 
 
In the SOAP profile, for example, intermediaries are permitted. The concept
of 
attachment integrity of assertions is introduced precisely to support an
end-to-end
security model (only the original "holder" of the assertions could have
attached them
to the document). This still leaves the question of confidentiality open:
until we have
the XML-encryption specification in hand, we cant mandate the use of
encryption just for
assertion elements. 
 
I am not sure we need to worry about "trusted" intermediaries. My thinking
would
be that all "interesting" intermediaries are untrusted. Maybe the language
of [R-Confidentiality] needs to be revised.
 
- prateek
 

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Tuesday, June 19, 2001 9:00 AM
To: 'OASIS Security Services group'
Subject: Contradictory requirements?



Colleagues - Here are some excerpts from our requirements documents, with
commentary ... 

"[R-Bindings] ... SAML should define bindings ... to ... the following
protocols: standard commercial browsers ..." 

 - This suggests a "token-style" authentication scheme as described in
draft-sstc-bindings-model-04.doc, Section 3.1. 

"[R-Confidentiality] SAML data should be protected from observation by ...
untrusted intermediaries." 

 - This suggests that intermediaries may be of two types: trusted and
untrusted. 

"[R-Intermediaries] SAML data ... will be structured in a way that they can
be passed from an asserting party through one or more intermediaries to a
relying party.  The validity of the message or assertion can be established
without requiring a direct connection between the asserting and relying
parties."

 - This prompts a number of questions: 

"Are the intermediaries referred to of the trusted or untrusted type?"  I
assume that (in order to satisfy the "single-sign-on", "third-party security
service" and "application chain" scenarios) the intermediaries referred to
must have access to the contents of messages and assertions.  But, must the
ultimate relying party trust them not to deliberately, or accidentally,
impersonate the principal, or cause another browser to impersonate the
principal?

The scenarios referred to in the last paragraph are written in terms of
chains with a single intermediary.  But, the requirement includes the phrase
"one or more".  So, should we think of the scenarios as just a special case
of the more general requirement in which chains may contain many
intermediaries?

If intermediaries have to be of the trusted type, then how will a relying
party tell what intermediaries have handled the token and whether or not
they should be trusted?  

If intermediaries may be of the untrusted type, then it seems unlikely that
we will find a solution that can satisfy both the [R-Intermediaries] and the
[R-Bindings] requirements.  We may have to remove the second sentence of the
[R-Intermediaries] requirement.

Thoughts anyone?  Best regards.  Tim. 

----------------------------------------------------------------------------
----------- 
Tim Moses 
Tel: 613.270.3183