[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] NIST prohibits use of SAML assertions at LOA 4
> The current version doesn't explicitly forbid assertions. 800-63 v1.02 says > "Level 4 authentication is based on proof of possession of a key through a > cryptographic protocol" and I would consider SAML protocols to satisfy that. In the abstract yes, but the original SSO profile? Absolutely not. I don't have any problem with Conor's point; I think the original text you're quoting is the right approach. It's not a SAML issue, it's a statement about the requirements of whatever the underlying technology is. > I'm not sure why the browser is part of the equation. The assertions are > signed can be encrypted for the use of the RP only. Yes, but they can be stolen in transit or in the client and used by the attacker. You can argue about the threat, but that's the threat they're talking about. > If you utilize all the > protective measures in SAML, I don't see how using PKI between the Client > and the RP is any different from PKI between Client and IDP, and then using > that same PKI tech to provide a provable reference back to that > authentication. Are you talking about a holder of key profile, or the original profile? Only the HoK proposal uses those measures or provides a "provable reference". Standard SSO is bearer, as you know. No binding of the channel to the assertion. > I guess my point is that if you believe that PKI is valid and practically > unassailable, then you should also believe that about PKI-based signing and > delivery of credential materials. Maybe I misunderstood your point, but generally when people talk about SAML SSO, they aren't talking about PKI-based delivery. Maybe you were assuming that, but for me that isn't really realistic because the UI for client certificates just doesn't work. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]