Re: [imi] SAML 2 profile questions

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Scott Cantor wrote:
>> If you are using bearer assertions, then the presence of the authn token
>> only provides extra granularity for access control if it contains
>> a) the LOA value and/or
>> b) a permanent ID of the user that is known to the SP.
> 
> We're talking about the statements in the "token". AuthnStatements do not
> contain information about the user, but about the act of authentication that
> led to the issuance of the assertion.

which includes the LOA according to the SAML draft spec.

>
>>> In 2.3.3, the draft states that "the assertion MUST be signed".  I
>>> understand the value of this, but I'd like us to at least discuss this
>>> before assuming that this should be a MUST.  For instance, is this a
>>> MUST when the token is used with the SAML 2.0 protocol?
>> In many cases TLS is sufficient, so I see no need to make this mandatory.
> 
> The signature is for integrity of the assertion from the IdP. There is no
> TLS connection between the IdP and the RP. Not signing the token means a
> client is free to manipulate it at will.

Understood. But this is not an (unknown) attacker, it is a fraudulent 
(known) user changing his token, which is different. These can be caught 
with auditing. So its less of a risk than an unknown attacker, and in 
some situations e.g. student access to library systems, it might be too 
low a risk to worry about the extra cost of signing. Thus it should be 
the choice of the RP whether signing is needed or not. After all, it is 
the RP that faces the risk.


> 
>> If you want privacy protection then you can always use a freshly minted
>> randomly generated identifier to identify the user in each new assertion
> 
> That doesn't address the privacy use case that non-audited cards are
> intended to address, which is about privacy *from* the IdP regarding what
> RPs you visit.
> 
> My complaint is not with non-auditing mode, it's with the lack of support
> for holder of key when using it.

But if user's dont have keys and their client software does not 
automatically mint and manage them for it, then you cant use holder of 
key (even if we would like to).

David

> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************