OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: ISSUE[UC-5-01:AuthCProtocol]


Form the use case description SSO push model #2

            1. Web user authenticates with source Web site. 
            2. Web user requests link to destination Web site. 
            3. Source Web site request authorization profile for the resource to be accessed (unsigned)
            4. Destination Web site returns authorization profile (signed)
            5. Source Web site requests authorization for Web user to use destination resource from destination Web site (signed)
            6. Destination Web site returns authorization reference to Source Web site (signed)
            7. Source Web site provides user with authorization reference and redirects user to destination Web site. 
            8. User requests destination resource from destination Web site, providing authorization reference. 
            9. Destination Web site provides resource to Web user. 

> This is not challenge response authentication, for the simple reason that
> neither the AP or the RP is being authenticated. If you don't like challenge
> response I suggest you think of another name, but the exchange you are
> talking about does not involve authentication. The AP and RP are exchanging
> what they know about the User. The fact this is done in a way that prevents
> replay and other attacks does not make it authentication. 

Actually both parties are fully authenticated by the digital signatures and associated certificates
of messages 4 and 5.  

> Challenge response authentication is commonly used to refer to an
> authentication method wherein the party being authenticted is required to
> respond to a challenge by performing some crytptographic operation on a
> piece of information whose value cannot be anticipated. Examples of this
> include CHAP, MS challenge response and SSL. A major alternative is to use a
> time-based protocol, of which Kerberos is an example. 

The cryptographic operation performed by the AP on the challenge/nonce/timestamp in message (4)
is the digital signature enclosing message (5) that contains (among many things) the challenge as well.

I agree that this is not described in the use-case text, but this is what I and to some extent Shibboleth propose.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC