OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] NIST prohibits use of SAML assertions at LOA 4

> The current version doesn't explicitly forbid assertions.  800-63 v1.02
> "Level 4 authentication is based on proof of possession of a key through a
> cryptographic protocol" and I would consider SAML protocols to satisfy

In the abstract yes, but the original SSO profile? Absolutely not.

I don't have any problem with Conor's point; I think the original text
you're quoting is the right approach. It's not a SAML issue, it's a
statement about the requirements of whatever the underlying technology is.
> I'm not sure why the browser is part of the equation.  The assertions are
> signed can be encrypted for the use of the RP only.

Yes, but they can be stolen in transit or in the client and used by the
attacker. You can argue about the threat, but that's the threat they're
talking about.

> If you utilize all the
> protective measures in SAML, I don't see how using PKI between the Client
> and the RP is any different from PKI between Client and IDP, and then
> that same PKI tech to provide a provable reference back to that
> authentication.

Are you talking about a holder of key profile, or the original profile? Only
the HoK proposal uses those measures or provides a "provable reference".
Standard SSO is bearer, as you know. No binding of the channel to the

> I guess my point is that if you believe that PKI is valid and practically
> unassailable, then you should also believe that about PKI-based signing
> delivery of credential materials.

Maybe I misunderstood your point, but generally when people talk about SAML
SSO, they aren't talking about PKI-based delivery. Maybe you were assuming
that, but for me that isn't really realistic because the UI for client
certificates just doesn't work.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]