OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Smart Browser


With respect, you yourself called your proposal "Kerberos-like." Kerberos is
a specific set of messages and data formats. Kerberos 4 is also a member of
the Needham and Schroedar protocol family, but was shown to have security
weaknesses. In fact it took a number of iterations of Kerberos 5 to get rid
of its flaws. I see no reason we should repeat this process.

It is true that for example, the SAML http profile has had to invent
mechanisms for secure distribution of SAML Assertions, but there was no
existing alternative standard. In contrast, your proposal seems to duplicate
a number of existing standards, including Kerberos. Other than your
statement that you assume the browser is not Kerberos enabled, I don't see
what you rationale is for doing this.

If we are going to hypothesize that the user will have a Browser that is
equipped with some software that Browsers today do not have, why not assume
Kerberos or TLS with client certs?

Surely you are not arguing that what world needs is an XML version of
Kerberos, are you?



> -----Original Message-----
> From: Flinn, Don [mailto:Don.Flinn@hitachisoftware.com]
> Sent: Thursday, October 18, 2001 10:05 AM
> To: Hal Lockhart; Oasis Sstc (E-mail)
> Subject: RE: [security-services] Smart Browser
> Hal
> The intent is not to invent a new protocol.  The intent, as I 
> proposed,
> is to use Kerberos, or the Needham and Schroedar protocol upon which
> Kerberos is based.  The existing SAML browser protocols, 
> IMHO, lean more
> towards the invention of new protocols than what I am suggesting.
> Specifically, I am suggesting that we use existing, well 
> known protocols
> in the smart browser profile.
> Don
> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Thursday, October 18, 2001 9:41 AM
> To: Flinn, Don; Oasis Sstc (E-mail)
> Subject: RE: [security-services] Smart Browser
> I don't understand the motive for inventing a new authentication
> protocol.
> History has shown that this is something which is fraught 
> with risk. It
> seems to me that we have plenty of good ones already, they 
> are just not
> widely deployed. This one seems particularly puzzling since is has
> essentially the same external characteristics as Kerberos.
> This also seems to violate what I understood to be the intent of the
> requirement we all agreed to last spring.
> "SAML will not propose any new cryptographic technologies or 
> models for
> security; instead, the emphasis is on description and use of 
> well-known
> security technologies utilizing a standard syntax (markup language) in
> the
> context of the Internet."
> Hal 
> > -----Original Message-----
> > From: Flinn, Don [mailto:Don.Flinn@hitachisoftware.com]
> > Sent: Tuesday, October 16, 2001 3:04 PM
> > To: Oasis Sstc (E-mail)
> > Subject: [security-services] Smart Browser
> > 
> > 
> > I had to drop out of today's focus group for another meeting.  
> > 
> > I would like to get a reading from the group on the Smart Browser
> > Profile concept that I put on the mailing list a couple of 
> weeks ago.
> > There has been no discussion on this.  I would like to know 
> > whether this
> > means that there is no interest and the idea should be dropped or
> > whether people thought it worthwhile, in which case I would do
> > additional work on it, or hated the idea.  
> > 
> > I have attached the writeup again for easy reference.
> > 
> > Don
> > 
> > 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC