[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Indexical reference problem defined
Hi,
Very clear explanation.
----------
From: George_Robert_Blakley_III@tivoli.com[SMTP:George_Robert_Blakley_III@tivoli.com]
Sent: Monday, April 23, 2001 10:16 AM
To: Pilz, Gilbert
Cc: security-services@lists.oasis-open.org
Subject: Indexical reference problem defined
(...some text deleted...)
Thus we're left with an indexical reference.
But this is also very hard. "Set up a session for him" won't work out of
the box -- ibm.com and oasis.org don't
share a context, since I'm not currently in contact with oasis.org, so
"him" has no meaning to oasis.org.
The indexical reference problem, therefore, is to figure out how to create
a shared context between ibm.com
and oasis.org which doesn't permit session splicing, token-stealing, and
other attacks, and which doesn't
require new client software.
This is precisely why many people find public key technology attractive. "Set up as session for whoever can authenticate to you using a private key that corresponds to this public-key certificate" solves the indexical problem without the possibility of session splicing, token stealing, or similar attacks. Furthermore, it does not remove SSO (because SSO only matters from the perspective of the human user -- they don't want to have to re-enter a password or whatever; the machine they're using can re-authenticate every second if necessary and the human user will still think they've got SSO).
The downside, of course, is that client software may be required to do the P-K authentication.
Carlisle.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC