[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Contradictory requirements?
Evan - I should have been more careful in describing my concern.
Paraphrasing your description (below), Web server n gets assertion 1 from Web server n-1. Assertion 1 was (perhaps verifiably) issued by Web server 1, but, because it contains no authenticator, it remains bound to the correct browser only if each of the web servers in the chain operates correctly. If one were to make a mistake (or it were to deliberately impersonate the browser) then Web server n is deceived.
Web server n cannot tell who is in the chain or how long it is.
The fact that Web server n is able to verify that assertion 1 was issued by Web server 1 is no help. Don't you agree?
Best regards. Tim.
-----Original Message-----
From: Evan Prodromou [mailto:eprodromou@securant.com]
Sent: Wednesday, June 20, 2001 3:39 PM
To: security-services@lists.oasis-open.org
Subject: Re: Contradictory requirements?
>>>>> "TM" == Tim Moses <tim.moses@entrust.com> writes:
TM> Evan - It sounds like you don't really believe in the second
TM> of your two proposals.
It was a straw man argument, thrown up to be beaten down. B-)
TM> So, let's look only at the first. My problem with it is in
TM> the last line:
TM> "etc., etc., etc."
TM> Web server n gets Ticket 1 (which does not contain an
TM> authenticator), issued by Web server 1, from Web server n-1.
Sorry, but I think you misread that. Web Server N gets Ticket N-1 from
Web Server N-1. It requests an AuthC Assertion from Web Server N-1 and
gets AuthC Assertion 1 (made by Web Server 1, the original
authenticator).
TM> It has no idea where the ticket has been between Web server 1
TM> and Web server n-1. So, it has no way of judging whether it
TM> is still associated with the same browser.
TM> It must blindly trust all intermediaries, without knowing who
TM> they are (or even how many they are).
No, it only has to trust N-1 (for the ticket), and 1 (for the
assertion). That's the only one it has dealings with.
~ESP
--
Evan Prodromou, Senior Architect eprodromou@securant.com
Securant Technologies, Inc. 415-856-9551
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC