OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [Issue] DNS Name in AuthN Assertion?

In most cases in adding issues to draft-sstc-saml-issues-05.doc I used text
provided by others. In a few cases, I added substantial new text which has
never been posed to the mailing list. As a courtesy to those who don't wish
to plow through the entire issues list, I am posting it retroactively.


ISSUE:[DS-7-05: AuthN DNS Name]

Should the AuthN Assertion contain an (optional) DNS name, distinct from the
DNS name indicating the security domain of the Subject? If so, what are the
semantics of this field?

An obvious answer is that the DNS name is the result of doing a reverse
lookup on the IP Address from which the Authentication was done. This
suggests that there is a relationship between this issue and DS-7-04.
Presumably if the IP Address is not included in the specification, this
field will not be either. However if IP Address is included, DNS name might
still not be.

The DNS name in the subject represents the security domain that knows how to
authenticate this subject. The DNS name of authentication would reflect the
location from which the Authentication was done. These will often be
different from each other.

This value might be used for AuthZ decisions or Audit. Of course, a reverse
lookup could be done on the IP Address at a later time, but the result might
be different. Like the IP Address, the DNS name is not authenticated and
could be spoofed, either by spoofing the IP Address or impersonating a
legitimate DNS server.

This was identified as F2F#3-13.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC