OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] NIST prohibits use of SAML assertions at LOA4


On 6/27/08 1:46 PM, "SCOTT CANTOR" <cantor.2@osu.edu> wrote:

>> Well, this is truly bizarre.
> 
> It's not new, that's how the previous document was, AFAIK.

The current version doesn't explicitly forbid assertions.  800-63 v1.02 says
"Level 4 authentication is based on proof of possession of a key through a
cryptographic protocol" and I would consider SAML protocols to satisfy that.

> 
> Well, it's interpreted in light of the fact that browsers cannot perform
> proof operations with SAML assertions. What they want is not PKI in general,
> but PKI between the relying party and the client. More than a bearer token,
> in other words. There's plenty to be said for that argument.

I'm not sure why the browser is part of the equation.  The assertions are
signed can be encrypted for the use of the RP only.  If you utilize all the
protective measures in SAML, I don't see how using PKI between the Client
and the RP is any different from PKI between Client and IDP, and then using
that same PKI tech to provide a provable reference back to that
authentication.  Unless, of course, you just don't trust IDPs, but that's a
different story (or is it)?

I guess my point is that if you believe that PKI is valid and practically
unassailable, then you should also believe that about PKI-based signing and
delivery of credential materials.

I know you don't like analogies, but to me, it's like saying you believe in
gravity, but only when you are standing on the ground, but not out in space.

ET
-- 
____________________________________________________
Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile









[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]