[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [Issue] DNS Name in AuthN Assertion?
All, I thought I'd sent this to the list the first time, but I've had lots of email problems recently. Here's a reply to an earlier note. --bob Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564) Chief Scientist, Security, Tivoli Systems, Inc. ---------------------- Forwarded by George Robert Blakley III/Austin/IBM on 08/20/2001 11:12 AM --------------------------- Hal Lockhart <hal.lockhart@entegrity.com> on 08/20/2001 08:29:43 AM Please respond to Hal Lockhart <hal.lockhart@entegrity.com> To: George Robert Blakley III/Austin/IBM@IBMUS cc: Subject: RE: [Issue] DNS Name in AuthN Assertion? Again I suggest you post this to the list. Hal > -----Original Message----- > From: George Robert Blakley III [mailto:blakley@us.tivoli.com] > Sent: Wednesday, August 15, 2001 6:38 PM > To: Hal Lockhart > Subject: Re: [Issue] DNS Name in AuthN Assertion? > > > Hmmmm..... > > Until secure DNS is pervasive and all anonymizers etc... are > banned, and > until we're sure that > SAML assertions will only be used in connection-oriented > communications > environments, I > strongly question the utility of supporting this. > > > --bob > > Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564) > Chief Scientist, Security, Tivoli Systems, Inc. > > > Hal Lockhart <hal.lockhart@entegrity.com> on 08/15/2001 04:15:47 PM > > Please respond to Hal Lockhart <hal.lockhart@entegrity.com> > > To: "'security-services@lists.oasis-open.org'" > <security-services@lists.oasis-open.org> > cc: > Subject: [Issue] DNS Name in AuthN Assertion? > > > > In most cases in adding issues to > draft-sstc-saml-issues-05.doc I used text > provided by others. In a few cases, I added substantial new > text which has > never been posed to the mailing list. As a courtesy to those > who don't wish > to plow through the entire issues list, I am posting it retroactively. > > Hal > > ISSUE:[DS-7-05: AuthN DNS Name] > > Should the AuthN Assertion contain an (optional) DNS name, > distinct from > the > DNS name indicating the security domain of the Subject? If > so, what are the > semantics of this field? > > An obvious answer is that the DNS name is the result of doing > a reverse > lookup on the IP Address from which the Authentication was done. This > suggests that there is a relationship between this issue and DS-7-04. > Presumably if the IP Address is not included in the > specification, this > field will not be either. However if IP Address is included, > DNS name might > still not be. > > The DNS name in the subject represents the security domain > that knows how > to > authenticate this subject. The DNS name of authentication > would reflect the > location from which the Authentication was done. These will often be > different from each other. > > This value might be used for AuthZ decisions or Audit. Of > course, a reverse > lookup could be done on the IP Address at a later time, but the result > might > be different. Like the IP Address, the DNS name is not > authenticated and > could be spoofed, either by spoofing the IP Address or impersonating a > legitimate DNS server. > > This was identified as F2F#3-13. > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC