OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Contradictory requirements?

Title: RE: Contradictory requirements?

Evan - I should have been more careful in describing my concern.

Paraphrasing your description (below), Web server n gets assertion 1 from Web server n-1.  Assertion 1 was (perhaps verifiably) issued by Web server 1, but, because it contains no authenticator, it remains bound to the correct browser only if each of the web servers in the chain operates correctly.  If one were to make a mistake (or it were to deliberately impersonate the browser) then Web server n is deceived.

Web server n cannot tell who is in the chain or how long it is.

The fact that Web server n is able to verify that assertion 1 was issued by Web server 1 is no help.  Don't you agree?

Best regards.  Tim.

-----Original Message-----
From: Evan Prodromou [mailto:eprodromou@securant.com]
Sent: Wednesday, June 20, 2001 3:39 PM
To: security-services@lists.oasis-open.org
Subject: Re: Contradictory requirements?


>>>>> "TM" == Tim Moses <tim.moses@entrust.com> writes:

    TM> Evan - It sounds like you don't really believe in the second
    TM> of your two proposals.

It was a straw man argument, thrown up to be beaten down. B-)

    TM> So, let's look only at the first.  My problem with it is in
    TM> the last line:

    TM>  "etc., etc., etc."

    TM> Web server n gets Ticket 1 (which does not contain an
    TM> authenticator), issued by Web server 1, from Web server n-1.

Sorry, but I think you misread that. Web Server N gets Ticket N-1 from
Web Server N-1. It requests an AuthC Assertion from Web Server N-1 and
gets AuthC Assertion 1 (made by Web Server 1, the original
authenticator).

    TM> It has no idea where the ticket has been between Web server 1
    TM> and Web server n-1.  So, it has no way of judging whether it
    TM> is still associated with the same browser.

    TM>  It must blindly trust all intermediaries, without knowing who
    TM> they are (or even how many they are).

No, it only has to trust N-1 (for the ticket), and 1 (for the
assertion). That's the only one it has dealings with.

~ESP

--
Evan Prodromou, Senior Architect        eprodromou@securant.com
Securant Technologies, Inc.             415-856-9551

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC