OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Agents and web services


The assumption in this profile is that the PKI trust relationship is
preconfigured, and authentication is accomplished using SSL mutual auth
*before* any SAML operations occur.

Is the text for this in the profile unclear?

Private key information is required to accomplish the mutual SSL auth,
so grabbing the public keys of other users would not be of any benefit
to an attacker.

 ~ Rick
-----Original Message-----
From: alistair@smo.uhi.ac.uk [mailto:alistair@smo.uhi.ac.uk] 
Sent: Saturday, February 05, 2005 4:57 PM
To: security-services@lists.oasis-open.org
Subject: [security-services] Agents and web services

Mr Alistair Young added the following comment to the
document in the OASIS Security Services (SAML) TC Group.

Would it be possible to expand on the part where the principal offers an
X509 certificate to the SP?
Does the IdP issue it on behalf of the principal after authentication?
If so, why use an X509. Just use AuthenticationStatement.

If the ConfirmationMethod is holder-of-key, how to stop malicious agents
trawling an LDAP store, gathering X509s and authenticating to the SP as
those users?

The X509 profile is interesting in the agent scenario, where a service
has to query attribute stores on behalf of a user. No HTTP user agent is
involved, rather it's communication between web services, with
authentication via X509.

A use case is a VLE asking for student attributes from an ES enabled SRS
to update group permissions. It would be done at the agent level and the
SRS will have to have some way to authenticate the agent and verify that
it has enough permissions (defined at it's IdP) to ask for the data.

View Document Details and Comments:

Download Document:  

PLEASE NOTE:  If the above links do not work for you, your email
application may be breaking the link into two pieces.  You may be able
to copy and paste the entire link address into the address field of your
web browser.

- Administration

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]