OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: F2F input to bindings

Hi Guys!

I would have loved to come to the F2F but can't make it.
I would though very much appreciate a comment at least on
point #2, #3 and #4 below as they are sort of fundamental. 

Regarding #4: clock-sync independence is another thing that PUSH
[at least could] introduce.

I would like to see some more discussions on scaling, statefulness,
configuration, user-friendliness, ASP, and reliability issues.
All these factor are within SAML scope IMHO.


----- Original Message ----- 
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Mishra, Prateek" <pmishra@netegrity.com>; "OASIS SAML" <security-services@lists.oasis-open.org>
Cc: <security-bindings@lists.oasis-open.org>
Sent: Friday, August 24, 2001 11:47
Subject: Re: draft-sstc-bindings-05

Prateek et al, 
Here are some comments to the bindings-05 draft browser profile(s). 

The initial GET used in all profiles specifies (by example) that
the query string contains TARGET etc. IMHO the initial GET
should not be restricted/specified in any way as it is an entirely
internal thing of the source site. I.e. GET could equally well point
to an URL with a local database index in the query string etc. 
It could AFAIK equally well be a POSTed form (that we have
recently found out is GET-compatible with respect to redirects). 

An observation (for what it is worth): 

- In PUSH the source-site is authenticated before the dest-site 
- In PULL the dest-site is authenticated before the source-site 
- In POSTed form only the source-site is authenticated 

I sort of prefer the second *principle* as it is more in-line with 
authentication in general and is a must for Shibboleth-like uses.

The s.c. distinguished assertion consumer URL could without any 
performance or security implications be fully dynamic in the PUSH 
profile (to require source sites to configure *two* destination
URLs is IMO a bit over the edge).  In the same way,  PartnerIDs are
redundant for all profiles except for PULL. 

IMHO only the PUSH profile is user-friendly, as a broken URL
or rejected request will be detected first-hand by the user's own
site/server (possibly automatically alerting the IS-department,
and giving the user a nice/appropriate error-message), while the
other profiles leave the user with the problem.

That POSTed forms implicate stateful destination-servers is IMHO 
not absolutely necessary as there are workarounds: 

-A short-lived assertion like 60 seconds, makes replay "possible" 
but still "unlikely" to be performed by any other but the original user. 

-A session-cookie should be able to hold the last assertions used 
at a particular site to hamper replay. 

Although replay protection is highly recommended, I still
wonder if it should be a MUST as this could be considered as
a policy-decision rather than a technical ditto.


To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC