security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [security-services] Credentials Collector proposal for SAML 2.0...
- From: "Hal Lockhart" <hlockhar@bea.com>
- To: "Carlisle Adams" <carlisle.adams@entrust.com>, <security-services@lists.oasis-open.org>
- Date: Tue, 1 Apr 2003 09:53:26 -0500
Title: Credentials Collector proposal for SAML 2.0...
Carlisle,
This
doesn't seem to have attracted much discussion.
I
agree that architecture "CC as Translator" is what most people want. ("Combined
CC and AA" is what SAML supports today, e.g. Browser/artifact Profile
and "CC as Local Authenticator" has always seemed dubious to me as a candidate
for standardization, since the trust required of the CC by the AA suggests that
they will be part of the same security domain.)
Your
paper addresses in more detail issues I only alluded to in my original
paper.
However, the fundamental question remains. How can this architecture be
realized (with or without WS-Trust) without either a) favoring weak (password)
authentication over strong (cryptographic) authentication or b) causing the
architecture (and therefore the trust relationships) to change
completely from one authentication to the next, depending on the type of
mechanism chosen.
The
problem is not so much the authentication itself, but the state that must be
carried forward into the session begun with a cryptographic
handshake.
Given
purely technical considerations, I would favor the Shared Sesion Key scheme I
outlined in my orginal paper. I would even be willing to work with you to flesh
out the details. However, the practical reality is that most implementations use
SSL, for example, as a blackbox and have no convenient means for exporting and
importing session keys, not to mention doing only half of the
protocol.
Those
who do not understand the last three paragraphs should refer to my paper
at:
Hal
Hi all,
I've finally gotten around to
updating and filling out the Credentials Collector proposal. I've tried
to take into account the brief discussions a few of us have had so far on this
topic. Further comment/discussion is welcome, on the list and perhaps in
an upcoming concall.
Carlisle.
<<SAML Credentials
Collector.doc>>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]