[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Contradictory requirements?
>>>>> "TM" == Tim Moses <tim.moses@entrust.com> writes:
TM> Evan - It sounds like you don't really believe in the second
TM> of your two proposals.
It was a straw man argument, thrown up to be beaten down. B-)
TM> So, let's look only at the first. My problem with it is in
TM> the last line:
TM> "etc., etc., etc."
TM> Web server n gets Ticket 1 (which does not contain an
TM> authenticator), issued by Web server 1, from Web server n-1.
Sorry, but I think you misread that. Web Server N gets Ticket N-1 from
Web Server N-1. It requests an AuthC Assertion from Web Server N-1 and
gets AuthC Assertion 1 (made by Web Server 1, the original
authenticator).
TM> It has no idea where the ticket has been between Web server 1
TM> and Web server n-1. So, it has no way of judging whether it
TM> is still associated with the same browser.
TM> It must blindly trust all intermediaries, without knowing who
TM> they are (or even how many they are).
No, it only has to trust N-1 (for the ticket), and 1 (for the
assertion). That's the only one it has dealings with.
~ESP
--
Evan Prodromou, Senior Architect eprodromou@securant.com
Securant Technologies, Inc. 415-856-9551
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC