[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] NIST prohibits use of SAML assertions at LOA4
On 6/27/08 11:31 AM, "Staggs, David (SAIC)" <David.Staggs@va.gov> wrote: > Colleagues > > NIST representatives pointed out that the new NIST Draft SP800-63-1 > prohibits the use of SAML assertions at level of assurance 4. > http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1 > > Is this an issue that the TC should address? Is there a problem in > using SAML for high assurance communications? I have been told NIST is > still accepting comment on the draft although the official comment > period is over. > Well, this is truly bizarre. It is interesting that they provide no justification for this other than the statement on p. 84 that Assertions are not allowed at Level 4 since it is not possible to establish a strong enough binding between the authentication activity established between the Claimant and the Verifier, and the secure session established between the Subscriber and the Relying Party. In other words, we don't trust PKI crypto enough to rely on DSIG, SSL/TLS, and other stuff. So we'll rely on ... PKI crypto to do direct authentication. Either the NSA knows something they are not telling us, or this is pure voodoo and superstition. Really, this seems to undermine the whole LOA scheme. The LOA scheme is (or was) based on the strength of the credentials and the identity proofing behind those credentials. Now, we have the mechanisms for transporting those credentials called into question. In addition, on p. viii, Level 4 is intended to provide the highest practical remote network authentication assurance But how do you convey level 4 over to a remote network if you don't use assertions (or rely on the same technology for transport and message-integrity as assertions)? There quite a number of other significant changes in this new draft, such as the invention of a new notion, a "secondary authenticator", which afaikt is exactly the same as an "assertion". I don't know why they inserted this indirection. They have also removed a large portion of the threat analysis that discussed the non-technical issues involved in security. And they have added some odd notions about different lifetimes for assertions based on whether they originate from the same internet domain (p. 85): Also, at Level 3, assertions shall expire within 30 minutes when used within a single domain (e.g. Internet cookies). Cross-domain assertions shall expire within 5 minutes. So, perhaps NIST is conflating "assertion" (lowercase) with "cookie" and "SAML Assertion" and throwing them all out with the bathwater in Level 4. And yes, I think it would be prudent to (at least) ask for clarification on the motivations for excluding assertions from Level 4. ET -- ____________________________________________________ Eric Tiffany | eric@projectliberty.org Interop Tech Lead | +1 413-458-3743 Liberty Alliance | +1 413-627-1778 mobile
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]