[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Indexical reference problem defined
Carlisle. >>and oasis.org which doesn't permit session splicing, token-stealing, and >>other attacks, and which doesn't >>require new client software. >This is precisely why many people find public key technology attractive. > "Set up as session for whoever can authenticate to you using a private key >that corresponds to this public-key certificate" solves the indexical problem >without the possibility of session splicing, token stealing, or similar attacks. > Furthermore, it does not remove SSO (because SSO only matters from >the perspective of the human user -- they don't want to have to re-enter a >password or whatever; the machine they're using can re-authenticate every >second if necessary and the human user will still think they've got SSO). >The downside, of course, is that client software may be required to do the P-K authentication. IMHO the real downside is that PKI for individuals associated with organizations and roles is likely to lead to (in actual use - not PKI theory), one CA root for every organization, while assertions signed by organizations may only require one TTP CA root per 10000000 organizations. The former is a major deployment issue! To become a part of a larger CA-hierarchy is only something the public sector actually seem willing to do (on a wider scale). By doing that they also lose control, archieving support etc. which the SAML Domain-Security model supports at its core. That's why I believe that SAML is largerly independent of progress in client-side PKI-support. SAML assertions may also replace the need for public directories holding attribute certificates as the assertions "do it all". Could at least. Regarding theft of references there is a possible SSL attack (and solution) that I have described in this very list and gotten two private answers on: 1. You must use client-side PK 2. There is no possible attack on SSL. Both are wrong IMO. http://lists.oasis-open.org/archives/security-services/200104/msg00024.html Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC