Re: Update: Contributed doc. browser bindings incl. Shibboleth

[Anders Rundgren <anders.rundgren@telia.com>]

Title: RE: Update: Contributed doc. browser bindings incl. Shibboleth

Tim,

To be perfectly honest, I have not given that much thought as it does

not make sense in the B2B-schemes I'm plotting with. Do you mean

like going to some other place where the same auth* should work

as well?  Using the "plain-Jane" scheme on page #3 you could

do that. But iff the auth* also contains the target URL as well, it should

be blocked at other sites.  For other reasons, like URL-breakage,

we don't actually propose such schemes, but rather a Shibboleth-like

approach (page #4) which is a strong-binding truly bi-directional auth* that does

not have any value except between a user and his/her AA and the RP.

 

Regards

Anders 

----- Original Message -----

From: Tim Moses

To: security-services@lists.oasis-open.org

Sent: Monday, July 30, 2001 19:30

Subject: RE: Update: Contributed doc. browser bindings incl. Shibboleth

Anders - Can you explain how, under your proposal, a relying party is prevented from impersonating someone that it has authenticated?  Best regards. Tim.

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Saturday, July 28, 2001 9:47 AM
To: Mishra, Prateek; security-services@lists.oasis-open.org
Cc: Tim Moses; RL 'Bob' Morgan; Marlena Erdos
Subject: Update: Contributed doc. browser bindings incl. Shibboleth

Hi Prateek,
You asked for the write-up.  Did never got any feedback though.
Here is an upgrade that also includes Shibboleth:

      http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt

The Push model is by no means dead.  It is the Pull model that has
problems. Although one can argue if this is a Push model really...

Regards
Anders