RE: [security-services] Smart Browser

["Flinn, Don" <Don.Flinn@hitachisoftware.com>]

Hi Hal

I guess it was misleading to use the term Keberos-like.  What I meant by
Kerberos-like was that we might want to look at some peripherial parts
of the Kerberos protocol such as the transports.  Kerberos requires
UDP/IP and TCP/IP Transports.  We might want to add HTTP.  Another item
might be extentions such as the proposed IETF extension to the Kerberos
profile that supports the use of a public key for the TGT request. My
intention was to use the Kerberos 5 protocol.  This would be done
through the smart browser plug-in. 

As far as specifying the Kerberos messages in XML, I wasn't suggesting
that.

As Jahan Moreh suggested, the smart browser approach opens the way to
other well know, time-tested protocols that we could consider in place
of or in addition to Kerberos.

Don 

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Friday, October 19, 2001 12:03 PM
To: Flinn, Don; Oasis Sstc (E-mail)
Subject: RE: [security-services] Smart Browser


Don,

With respect, you yourself called your proposal "Kerberos-like."
Kerberos is
a specific set of messages and data formats. Kerberos 4 is also a member
of
the Needham and Schroedar protocol family, but was shown to have
security
weaknesses. In fact it took a number of iterations of Kerberos 5 to get
rid
of its flaws. I see no reason we should repeat this process.

It is true that for example, the SAML http profile has had to invent
mechanisms for secure distribution of SAML Assertions, but there was no
existing alternative standard. In contrast, your proposal seems to
duplicate
a number of existing standards, including Kerberos. Other than your
statement that you assume the browser is not Kerberos enabled, I don't
see
what you rationale is for doing this.

If we are going to hypothesize that the user will have a Browser that is
equipped with some software that Browsers today do not have, why not
assume
Kerberos or TLS with client certs?

Surely you are not arguing that what world needs is an XML version of
Kerberos, are you?

Regards,

Hal

> -----Original Message-----
> From: Flinn, Don [mailto:Don.Flinn@hitachisoftware.com]
> Sent: Thursday, October 18, 2001 10:05 AM
> To: Hal Lockhart; Oasis Sstc (E-mail)
> Subject: RE: [security-services] Smart Browser
> 
> 
> Hal
> 
> The intent is not to invent a new protocol.  The intent, as I 
> proposed,
> is to use Kerberos, or the Needham and Schroedar protocol upon which
> Kerberos is based.  The existing SAML browser protocols, 
> IMHO, lean more
> towards the invention of new protocols than what I am suggesting.
> Specifically, I am suggesting that we use existing, well 
> known protocols
> in the smart browser profile.
> 
> Don
> 
> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Thursday, October 18, 2001 9:41 AM
> To: Flinn, Don; Oasis Sstc (E-mail)
> Subject: RE: [security-services] Smart Browser
> 
> 
> I don't understand the motive for inventing a new authentication
> protocol.
> History has shown that this is something which is fraught 
> with risk. It
> seems to me that we have plenty of good ones already, they 
> are just not
> widely deployed. This one seems particularly puzzling since is has
> essentially the same external characteristics as Kerberos.
> 
> This also seems to violate what I understood to be the intent of the
> SAML
> requirement we all agreed to last spring.
> 
> "SAML will not propose any new cryptographic technologies or 
> models for
> security; instead, the emphasis is on description and use of 
> well-known
> security technologies utilizing a standard syntax (markup language) in
> the
> context of the Internet."
> 
> Hal 
> 
> > -----Original Message-----
> > From: Flinn, Don [mailto:Don.Flinn@hitachisoftware.com]
> > Sent: Tuesday, October 16, 2001 3:04 PM
> > To: Oasis Sstc (E-mail)
> > Subject: [security-services] Smart Browser
> > 
> > 
> > I had to drop out of today's focus group for another meeting.  
> > 
> > I would like to get a reading from the group on the Smart Browser
> > Profile concept that I put on the mailing list a couple of 
> weeks ago.
> > There has been no discussion on this.  I would like to know 
> > whether this
> > means that there is no interest and the idea should be dropped or
> > whether people thought it worthwhile, in which case I would do
> > additional work on it, or hated the idea.  
> > 
> > I have attached the writeup again for easy reference.
> > 
> > Don
> > 
> > 
>