OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Draft-sstc-sec-consider-03.doc

The question seems to boil down to if  users are "dumb" or "smart".  Given the
last years' virus craze, I tend to believe they are "dumb".

Anyway, if we take the SAML SSO scenarios, I at least envision *a lot*
of use-cases where the user is strongly authenticated to his/her source
(preferably using client-side PKI), but simply redirected to the target.
*Long-term*, particularly for B2B-scenarios like OBI, PunchOut, RoundTrip,
etc. this security-hole should be addressed, in a way that do not require the *users*
to take decisions that they do not understand the consequences of.   In B2B
the relation [incl. trust] is between the target and the source as the user is just a
"tool" for carrying out a business process, so it is perfectly logical to (in some
way), offload the verification of the target to the source instead of to the user.

That this is technically possible with relative moderate measures, is something I have
tried to show in http://www.x-obi.com/OBI400/andersr-mitm-attac-and-cure.ppt
Yes!  There are other ways to do this, this is just *one* (maybe miserable)
example to get the ball rolling...

But, Microsoft's security department thinks that the solution is "user education".
If a security problem is technically awkward to solve (gives negative side-effects),
I agree, but in this case, I stay confident that this can be fixed or at least be vastly


----- Original Message -----
From: "Polar Humenn" <polar@syr.edu>
To: "Hal Lockhart" <hal.lockhart@entegrity.com>
Cc: "'Anders Rundgren'" <anders.rundgren@telia.com>; <cmclaren@netegrity.com>; "'oasis sstc'"
Sent: Friday, January 11, 2002 01:41
Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc

On Thu, 10 Jan 2002, Hal Lockhart wrote:

> > The "client" is unfortunately a *human*  that just gets a
> > hint that something
> > is not correct but he/she may click "Continue" to ignore.
> > And maybe even select to
> > trust the next time.  This is the problem with ad-hoc PKI as
> > Dug correctly points
> > out.  This is also probably the weakest spot in SAML,
> > assuming that servers
> > are not too easy to hack into.
> This is nonsense. Users get very upset when they get a popup warning about a
> security error.

Really? I remember Ed Felton of Princeton giving a talk a number of years
ago at a Dimacs workshop on Trust Management. In this talk he explained an
experiment where he pointed a user at a particular website and had them
click on a button. That action raised a security violation which popped up
on IE4.0 and the user just clicked it away. Subsequently, the the browser
shut off the users machine.

You're right, people did get very upset. When asked about the popup, most
people said "What popup?".

Ed likened the popup window to "merely a incidental fly on the screen
that was in the way, which the user swatted away".

> We even found it impossible for them to accept a self-signed
> certificate from us by secure means. If it doesn't validate with one of the
> built-in roots, thay won't touch it. This has been discussed repeatedly in
> the PKIX list and in the opinion of some, e.g. Peter Gutmann, it is a major
> reason people buy server certificates from public CAs.

I guess this situation depends on how many "built-in roots" your browser
has, mine came with some 100 of them. Do you find your users actually
delete root certificates they don't know enough to like?


> Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC