RE: [Issue] DNS Name in AuthN Assertion?

[George Robert Blakley III <blakley@us.tivoli.com>]

All,

I thought I'd sent this to the list the first time, but I've had lots of
email problems recently.  Here's a reply to
an earlier note.


--bob

Bob Blakley (email: blakley@us.tivoli.com   phone: +1 512 436 1564)
Chief Scientist, Security, Tivoli Systems, Inc.

---------------------- Forwarded by George Robert Blakley III/Austin/IBM on
08/20/2001 11:12 AM ---------------------------

Hal Lockhart <hal.lockhart@entegrity.com> on 08/20/2001 08:29:43 AM

Please respond to Hal Lockhart <hal.lockhart@entegrity.com>

To:   George Robert Blakley III/Austin/IBM@IBMUS
cc:
Subject:  RE: [Issue] DNS Name in AuthN Assertion?



Again I suggest you post this to the list.

Hal

> -----Original Message-----
> From: George Robert Blakley III [mailto:blakley@us.tivoli.com]
> Sent: Wednesday, August 15, 2001 6:38 PM
> To: Hal Lockhart
> Subject: Re: [Issue] DNS Name in AuthN Assertion?
>
>
> Hmmmm.....
>
> Until secure DNS is pervasive and all anonymizers etc... are
> banned, and
> until we're sure that
> SAML assertions will only be used in connection-oriented
> communications
> environments, I
> strongly question the utility of supporting this.
>
>
> --bob
>
> Bob Blakley (email: blakley@us.tivoli.com   phone: +1 512 436 1564)
> Chief Scientist, Security, Tivoli Systems, Inc.
>
>
> Hal Lockhart <hal.lockhart@entegrity.com> on 08/15/2001 04:15:47 PM
>
> Please respond to Hal Lockhart <hal.lockhart@entegrity.com>
>
> To:   "'security-services@lists.oasis-open.org'"
>       <security-services@lists.oasis-open.org>
> cc:
> Subject:  [Issue] DNS Name in AuthN Assertion?
>
>
>
> In most cases in adding issues to
> draft-sstc-saml-issues-05.doc I used text
> provided by others. In a few cases, I added substantial new
> text which has
> never been posed to the mailing list. As a courtesy to those
> who don't wish
> to plow through the entire issues list, I am posting it retroactively.
>
> Hal
>
> ISSUE:[DS-7-05: AuthN DNS Name]
>
> Should the AuthN Assertion contain an (optional) DNS name,
> distinct from
> the
> DNS name indicating the security domain of the Subject? If
> so, what are the
> semantics of this field?
>
> An obvious answer is that the DNS name is the result of doing
> a reverse
> lookup on the IP Address from which the Authentication was done. This
> suggests that there is a relationship between this issue and DS-7-04.
> Presumably if the IP Address is not included in the
> specification, this
> field will not be either. However if IP Address is included,
> DNS name might
> still not be.
>
> The DNS name in the subject represents the security domain
> that knows how
> to
> authenticate this subject. The DNS name of authentication
> would reflect the
> location from which the Authentication was done. These will often be
> different from each other.
>
> This value might be used for AuthZ decisions or Audit. Of
> course, a reverse
> lookup could be done on the IP Address at a later time, but the result
> might
> be different. Like the IP Address, the DNS name is not
> authenticated and
> could be spoofed, either by spoofing the IP Address or impersonating a
> legitimate DNS server.
>
> This was identified as F2F#3-13.
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>