[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [Issue] DNS Name in AuthN Assertion?
In most cases in adding issues to draft-sstc-saml-issues-05.doc I used text provided by others. In a few cases, I added substantial new text which has never been posed to the mailing list. As a courtesy to those who don't wish to plow through the entire issues list, I am posting it retroactively. Hal ISSUE:[DS-7-05: AuthN DNS Name] Should the AuthN Assertion contain an (optional) DNS name, distinct from the DNS name indicating the security domain of the Subject? If so, what are the semantics of this field? An obvious answer is that the DNS name is the result of doing a reverse lookup on the IP Address from which the Authentication was done. This suggests that there is a relationship between this issue and DS-7-04. Presumably if the IP Address is not included in the specification, this field will not be either. However if IP Address is included, DNS name might still not be. The DNS name in the subject represents the security domain that knows how to authenticate this subject. The DNS name of authentication would reflect the location from which the Authentication was done. These will often be different from each other. This value might be used for AuthZ decisions or Audit. Of course, a reverse lookup could be done on the IP Address at a later time, but the result might be different. Like the IP Address, the DNS name is not authenticated and could be spoofed, either by spoofing the IP Address or impersonating a legitimate DNS server. This was identified as F2F#3-13.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC