[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: "binding" assertions to business payloads
What I should have said is that the output document would be another purchase order and hence not a SAML auth assertion. However it could very well be an assertion. The SAML assertion 'container' would IMNSHO be a usefull building block for that type of message set. The <Claims> would be different and possibly invclude different <Conditions> but the basic processing principles could be carried over. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Monday, May 07, 2001 1:23 PM > To: Philip Hallam-Baker; Heather_Hinton@tivoli.com > Cc: 'Mishra, Prateek'; ''oasis sstc' '; > security-bindings@lists.oasis-open.org > Subject: RE: "binding" assertions to business payloads > > > Philip et al, > > I agree that Case (1) is a SAML application. But the > e-mail said it is out > of scope which I disagreed. Thanks for clarification. > > > > > Case (1) is out of scope since it is simply another > purchase order. > > BTW, purchase order is just an example. So dismissing > it as a purchase > order specific is not going to help. The point is, element > level (or more > generally block level) assertions in business documents. As > we all know, > currently there are no "assertions" in business documents, > just attributes. > The assertion, in a very loose manner, is the whole document. > Hopefully we > could evangelize the assertions concept at block level. > > cheers > > > -----Original Message----- > > From: Philip Hallam-Baker [mailto:pbaker@verisign.com] > > Sent: Monday, May 07, 2001 9:52 AM > > To: 'Krishna Sankar'; Heather_Hinton@tivoli.com; Philip Hallam-Baker > > Cc: 'Mishra, Prateek'; Philip Hallam-Baker; ''oasis sstc' '; > > security-bindings@lists.oasis-open.org > > Subject: RE: "binding" assertions to business payloads > > > > > > If the application simply obtains a SAML assertion and on that basis > > re-issues the purchase order with a new sig it is simply a > standard SAML > > application with no need to make special provision. The > purchase order > > specific issues would be dealt with in the purchase order > spec - i.e. 'out > > of SAML scope'. > > > > It would only be case 2 that would involve a significantly different > > application of SAML. > > > > Sorry if my phrasing was confusing. > > > > Phillip Hallam-Baker FBCS C.Eng. > > Principal Scientist > > VeriSign Inc. > > pbaker@verisign.com > > 781 245 6996 x227 > > > > > > > -----Original Message----- > > > From: Krishna Sankar [mailto:ksankar@cisco.com] > > > Sent: Monday, May 07, 2001 12:39 PM > > > To: Heather_Hinton@tivoli.com; Philip Hallam-Baker > > > Cc: 'Mishra, Prateek'; Philip Hallam-Baker; ''oasis sstc' '; > > > security-bindings@lists.oasis-open.org > > > Subject: RE: "binding" assertions to business payloads > > > > > > > > > Hi all, > > > > > > As far as I know, RosettaNet is silent on authorization. > > > > > > The RNO has the signature of the sender which *could* > > > aid case (2). But > > > usually the signature (and encryption) is for achieving the > > > security across > > > the wire and possibly for non-repudiation and *not* for > authorization. > > > > > > Re Prateek's point, I would say Case (1) is more in > > > line with our charter. > > > We could help standards like RosettaNet to add this > > > capability to "normal" > > > purchase orders. > > > > > > cheers > > > > > > > -----Original Message----- > > > > From: Heather_Hinton@tivoli.com > [mailto:Heather_Hinton@tivoli.com] > > > > Sent: Monday, May 07, 2001 9:19 AM > > > > To: Philip Hallam-Baker > > > > Cc: 'Mishra, Prateek'; Philip Hallam-Baker; ''oasis sstc' '; > > > > 'security-bindings@lists.oasis-open.org' > > > > Subject: RE: "binding" assertions to business payloads > > > > > > > > > > > > It occurs to me that the example given below is covered by > > > the RosettaNet > > > > standards. I will see if I can find anything there that is > > > of interest. In > > > > the meantime, check out www.rosettanet.org > > > > > > > > heather > > > > > > > > Heather Hinton, > > > > Senior Security Architect > > > > Tivoli SecureWay > > > > IBM Corporation > > > > hhinton@tivoli.com > > > > (tel) +1(512)436-1538 > > > > > > > > > > > > Philip Hallam-Baker <pbaker@verisign.com> on 05/07/2001 > 10:11:31 AM > > > > > > > > To: "'Mishra, Prateek'" <pmishra@netegrity.com>, Philip > > > Hallam-Baker > > > > <pbaker@verisign.com>, "''oasis sstc' '" > > > > <security-services@lists.oasis-open.org> > > > > cc: "'security-bindings@lists.oasis-open.org'" > > > > <security-bindings@lists.oasis-open.org> > > > > Subject: RE: "binding" assertions to business payloads > > > > > > > > > > > > > > > > > > > > This type of 'Purchasing workflow' type application > > > involves pieces that > > > > are > > > > out of scope but is definitely important. > > > > > > > > > > > > The way I would see the workflow going is as follows > > > > > > > > Alice creates a purchase order > > > > > > > > <PO> > > > > <Item>Paperclips > > > > <Qty>1000 > > > > <Amount>1,992 USD > > > > <Signature> > > > > <Alice> > > > > > > > > > > > > There are two ways that this PO could then be authorized > > > > > > > > 1) Query to see if Alice is Authorized to purchase 1000 > > > paperclips at the > > > > stated price. This will by necessity involve some complex > > > policy/business > > > > logic. > > > > > > > > <SAML> > > > > ... > > > > <Claims> > > > > <Subject> > > > > [Alice...] > > > > <Object> > > > > <Resource>[Purchase up to $5000] > > > > <Conditions> > > > > [Online check she is not overspent] > > > > > > > > 2) Alice gets the PO countersigned by a party that has (largely) > > > > unrestricted signature powers. [Probably a cryptographic > > > signing unit in a > > > > secure facility]. > > > > > > > > At this point what is effectively being created is an > > > authorized purchase > > > > order. The Authorization statement then wants to either 1) > > > restate the > > > > original 'Alice' purchase order or 2) cryptographically > > > bind to it, e.g. > > > > via > > > > a MAC. > > > > > > > > Case (1) is out of scope since it is simply another > purchase order. > > > > > > > > Case (2) is potentially in scope and certainly merits a proof of > > > > extendability. > > > > > > > > I think the case implies that the <Subject> of the > > > authorization would be > > > > the purchase order. The consistent means of specification > > > would be as a > > > > link > > > > with a cryptographic digest - perhaps reusing the XML > > > signature manifest > > > > package. > > > > > > > > Alternatively since the entire assertion is signed the > > > Authorization could > > > > restate the purchase order as an advice element. > > > > > > > > Phill > > > > > > > > > > > > > > > > Phillip Hallam-Baker FBCS C.Eng. > > > > Principal Scientist > > > > VeriSign Inc. > > > > pbaker@verisign.com > > > > 781 245 6996 x227 > > > > > > > > > > > > > -----Original Message----- > > > > > From: Mishra, Prateek [mailto:pmishra@netegrity.com] > > > > > Sent: Sunday, May 06, 2001 9:38 PM > > > > > To: 'Philip Hallam-Baker '; ''oasis sstc' ' > > > > > Cc: 'security-bindings@lists.oasis-open.org' > > > > > Subject: "binding" assertions to business payloads > > > > > > > > > > > > > > > One issue discussed in the bindings group con-call > > > > > this past week is that of providing an authentic > binding between > > > > > assertions and business payloads. The following scenario > > > > > is driven off use-case 3 from the requirements document: > > > > > > > > > > End-user Ravi utilizes an authentication service > > > > > and obtains assertions ("Ravi is an employee of > > > > > Company X at the supervisor level") > > > > > which he packages with a business > > > > > payload ("Buy 100 paper clips") to create a composite package. > > > > > One way to ensure authenticity is to have Ravi sign > the composite > > > > > package with his private key. When the recipient receives the > > > > > package, the recipient can check to see if the package has > > > > > been tampered with. If not, the recipient can scrutinize the > > > > > assertions and appropriately process the business payload. > > > > > > > > > > The concern here is with a MITM attack: attacker John > intercepts > > > > > the package and packages the assertion with a completely > > > > > different payload ("Buy 1000 computers"), signs the composite > > > > > package and forwards it to the recipient. > > > > > > > > > > In order to avoid an MITM attack, it seems necessary that the > > > > > assertion should include Ravi's public key (or more generally > > > > > <dsig:keyinfo>) within the assertion. When the composite > > > > > package arrives at the recipient, she can validate > > > > > the signature using the public key found within the > > > > > assertion. This ensures that only the > > > > > original ``holder'' of the assertion could have bound it to > > > > > the payload. > > > > > > > > > > It is not clear to me how this is handled > > > > > within the current assertion structure. Obviously, > > > > > this issue is fairly key to the bindings group; some > > > > > clarification is required in this space. > > > > > > > > > > > > > > > - prateek > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > To unsubscribe from this elist send a message with > the single word > > > > > "unsubscribe" in the body to: > > > > > security-services-request@lists.oasis-open.org > > > > > > > > > > > > > > > > > (See attached file: Phillip Hallam-Baker (E-mail).vcf) > > > > > > > > > > > >
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC