OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Contradictory requirements?

>>>>> "TM" == Tim Moses <tim.moses@entrust.com> writes:

    TM> Evan - It sounds like you don't really believe in the second
    TM> of your two proposals.

It was a straw man argument, thrown up to be beaten down. B-)

    TM> So, let's look only at the first.  My problem with it is in
    TM> the last line:

    TM>  "etc., etc., etc."

    TM> Web server n gets Ticket 1 (which does not contain an
    TM> authenticator), issued by Web server 1, from Web server n-1.

Sorry, but I think you misread that. Web Server N gets Ticket N-1 from
Web Server N-1. It requests an AuthC Assertion from Web Server N-1 and
gets AuthC Assertion 1 (made by Web Server 1, the original

    TM> It has no idea where the ticket has been between Web server 1
    TM> and Web server n-1.  So, it has no way of judging whether it
    TM> is still associated with the same browser.

    TM>  It must blindly trust all intermediaries, without knowing who
    TM> they are (or even how many they are).

No, it only has to trust N-1 (for the ticket), and 1 (for the
assertion). That's the only one it has dealings with.


Evan Prodromou, Senior Architect        eprodromou@securant.com
Securant Technologies, Inc.             415-856-9551

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC