OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Indexical reference problem defined


Carlisle. 

>>and oasis.org which doesn't permit session splicing, token-stealing, and 
>>other attacks, and which doesn't 
>>require new client software. 
 
>This is precisely why many people find public key technology attractive. 
> "Set up as session for whoever can authenticate to you using a private key
>that corresponds to this public-key certificate" solves the indexical problem
>without the possibility of session splicing, token stealing, or similar attacks. 
> Furthermore, it does not remove SSO (because SSO only matters from 
>the perspective of the human user -- they don't want to have to re-enter a
>password or whatever; the machine they're using can re-authenticate every 
>second if necessary and the human user will still think they've got SSO).

>The downside, of course, is that client software may be required to do the P-K authentication. 

IMHO the real downside is that PKI for individuals associated with
organizations and roles is likely to lead to (in actual use - not PKI theory),
one CA root for every organization, while assertions signed by
organizations may only require one TTP CA root per 10000000 organizations. 
The former is a major deployment issue!

To become a part of a larger CA-hierarchy is only something the public
sector actually seem willing to do (on a wider scale).   By doing that they
also lose control, archieving support etc. which the SAML
Domain-Security model supports at its core.  That's why I believe that
SAML is largerly independent of progress in client-side PKI-support.

SAML assertions may also replace the need for public directories holding
attribute certificates as the assertions "do it all".  Could at least.

Regarding theft of references there is a possible SSL attack (and solution)
 that I have described in this very list and gotten two private answers on:
 1. You must use client-side PK
 2. There is no possible attack on SSL.
Both are wrong IMO.

http://lists.oasis-open.org/archives/security-services/200104/msg00024.html

Anders




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC