OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-consider message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: article: Access Control and Session management in the HTTP Environment


The below article is particularly relevant to our various discussions
surrounding binding to "standard commercial browsers" (in quotes because we need
to reword it, but that's a different thread). 

The article is here..

  Access Control and Session management in the HTTP Environment
  http://patriot.net/~kurt/IEEE-IC-Gutzmann.pdf     (as published)
  http://patriot.net/~kurt/ieee/                    (html; as sub'd for pub)

The overall mechanism described therein for web single sign-on is not
particularly unique, but it is useful it seems to me in that it is
vendor-neutral and accessible. 

I'd recalled it going into more detail about the structure of so-called
"tickets" (e.g. subcomponent sizes and ticket/cookie sizes) but it apparently
doesn't. 

For the SAML Security & Privacy Considerations perspective, the article provides
a reasonably detailed "attacks and defenses" analysis, which ought to be fairly
applicable to any "cookie and/or URL"-based HTTP state/session management
approach, and thus is a starting point for at least one aspect of that
subgroup's work. 

JeffH


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC