OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] NIST prohibits use of SAML assertions at LOA4

On 6/27/08 11:31 AM, "Staggs, David (SAIC)" <David.Staggs@va.gov> wrote:

> Colleagues
> NIST representatives pointed out that the new NIST Draft SP800-63-1
> prohibits the use of SAML assertions at level of assurance 4.
> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1
> Is this an issue that the TC should address?  Is there a problem in
> using SAML for high assurance communications?  I have been told NIST is
> still accepting comment on the draft although the official comment
> period is over.

Well, this is truly bizarre.

It is interesting that they provide no justification for this other than the
statement on p. 84 that

    Assertions are not allowed at Level 4 since it is not possible to
    establish a strong enough binding between the authentication
    activity established between the Claimant and the Verifier, and
    the secure session established between the Subscriber and the
    Relying Party.

In other words, we don't trust PKI crypto enough to rely on DSIG, SSL/TLS,
and other stuff.  So we'll rely on ... PKI crypto to do direct
authentication.  Either the NSA knows something they are not telling us, or
this is pure voodoo and superstition.

Really, this seems to undermine the whole LOA scheme.  The LOA scheme is (or
was) based on the strength of the credentials and the identity proofing
behind those credentials.  Now, we have the mechanisms for transporting
those credentials called into question.  In addition, on p. viii,

    Level 4 is intended to provide the highest practical remote network
    authentication assurance

But how do you convey level 4 over to a remote network if you don't use
assertions (or rely on the same technology for transport and
message-integrity as assertions)?

There quite a number of other significant changes in this new draft, such as
the invention of a new notion, a "secondary authenticator", which afaikt is
exactly the same as an "assertion".  I don't know why they inserted this
indirection.  They have also removed a large portion of the threat analysis
that discussed the non-technical issues involved in security.

And they have added some odd notions about different lifetimes for
assertions based on whether they originate from the same internet domain (p.

    Also, at Level 3, assertions shall expire within 30 minutes when
    used within a single domain (e.g. Internet cookies). Cross-domain
    assertions shall expire within 5 minutes.

So, perhaps NIST is conflating "assertion" (lowercase) with "cookie" and
"SAML Assertion" and throwing them all out with the bathwater in Level 4.

And yes, I think it would be prudent to (at least) ask for clarification on
the motivations for excluding assertions from Level 4.

Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]