[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Credential "Negotiation" Complexity
All, >> > One major reason to the extended scheme I propose, is that the current [rigid] approach >> > seems to leave credential incompatibility issues in the hand of the user instead of the AP. >> > It *may* cost an extra "round", but it will put much less burdon on helpdesks. >> Here I respectfully disagree. Consider your example: > [snip] >I find this example strange. If it is a "fact" that an Assistant Professor of Computer Science >implies a Phd in the same subject, why did not the AP provided the credential asked for? > >Regardless of scheme used, all parties must agree on format and exact semantics of >credentials. This is the critical point. This is one of the things I addressed in comments I made at the DeAnza meeting in MA just before the formation of the TC, which I've just realized I never circulated to any list. So I'll put it in this note. ================ begin Bob's sermon on scope of activity =================== The environment in which <name of spec> will be useful is: * many domains * many technologies, including security technologies * many policies, administered by many autonomous authorities * many naming domains, with no guarantee of global uniqueness of names and no single naming convention * requirement for autonomy of domains * requirement for high performance Among the things which <name of spec> will address are: * interoperability of domains which share a security infrastructure but not administration of security attributes * interoperability of domains which don't share the same security infrastructure In order to achieve these goals, the domains need to do a variety of things: * Agree on the interoperable vocabulary - this could include + subject names (nouns) + subject attributes (adjectives) + assertions about subject (indicative sentences: "Bob is an Assistant Prof.") - rules governing subject actions (optative sentences "Bob should be allowed to read files") * Agree on a syntax for the interoperable vocabulary - this could be + a universal syntax (used by all domains) + a transfer syntax (understood by all domains) * Define a mechanism for making assertions - this should not depend on a particular protocol + because a pair of domains may communicate over several protocols - this should not presume or require a trust relationship + because we don't know what trust relationships domains will want to use - this should not presume or require a particular secure exchange mechanism + such as SSL or a signed token + because some domains may not support some mechanisms + and because some pairs of domains may already have secure exchange mechanisms they use, and adding another one will be superfluous from a security viewpoint and will impose both a performance overhead and a software content and configuration overhead (for the code which implements our mechanism) There are a number of dangers which should be avoided in achieving these goals * We shouldn't require agreement on subject names across domains - because domains already have given their subjects names and don't want to change them * We shouldn't require external visibility or comprehension of resource names - because each domain may want complete control over its resources and may not be willing or able to publicize them to other domains * We shouldn't require one domain to enforce a policy stated by another domain - because autonomy of domains requires that each domain be able to make independent decisions about its own policies. My personal belief is that we should design our mechanisms to support maximum autonomy. This means * We should define a transfer syntax, but NOT a universal syntax * We should define scoped names (scoped by domain, like RFC 822 does), but NOT global names * We should exchange names and attributes, but NOT policies or capabilities * We should define a mechanism for expressing assertions, but NOT a means of establishing the recipient's trust in the assertor * We should ASSUME that each domain which recieves an assertion will re-interpret its contents - for example, if a domain recieves an assertion of a subject's name, it will translate that name into a locally-understood form - for example, if a domain receives an assertion of a subject's name, it will form its own local view of the groups to which that subject belongs - for example, if a domain recieves an assertion of a subject's group memberships, it may discard some of the asserted groups (as being "not recognized", or because the assertor is not in its view trusted to assert membership in these groups), and it may translate some of the asserted groups into other, locally-recognized groups. - etc... ================= end Bob's sermon on scope of activity ==================== >Evan, > >> But I think Anders has gotten to the kernel of this issue. I think for >> most of us with experience with AuthXML or S2ML, we've dealt from the >> get-go with expecting peer security systems to have arranged their >> partnership out-of-band. In other words, there are configuration >> options on each piece of software that say what data is sent as >> credentials, what profile information to share, what keys belong to >> what security system, etc. >> >> We explicitly have this called out in the current doc, saying that >> "trust negotiations must be made out-of-band." I agree with Anders >> that there's a momentous opportunity in dropping this non-goal and >> allowing the trust relationship to be negotiated IN-band ("Who are >> you? Who says that's you? What do you want?"). > >I do not propose that we should solve all this IN-band. It is largely impossible IMO. >Trust between parties (APs and RPs) will continue to be more or less out of band. I ***STRONGLY*** agree with this. I think trust is something which needs to be established BASED ON (1) a trust model, (2) an authentication protocol, and (3) tokens of the form we exchange. I assert that we should neither assume nor define a particular trust model -- instead we should define tokens which can be exchanged within any trust model. If we try to turn this effort into an authentication and trust establishment protocol definition effort, we will never finish, AND we will limit the usefulness of our effort to environments which don't already have their own trust model and authentication protocols defined. >Regarding credentials, the parties must as already stated indeed support the same profiles. This is >however something that does not always have to be performed using hardcoded, point-to-point, >out-of-band setups for each resource, URL etc. That does not scale at all IMO! In principle I don't see how changing a given negotiation protocol from "out-of-band" to "in-band" (by including it in our spec) changes its scale characteristics. I think this is just an issue of scope, and not one of function. >If parties are able to define credential definitions that they can share, it should be about the same work >to define the run-time specification for the very same credentials. This is essentially all I am asking for. I think what's being said here is that we should define a "credential syntax and semantics negotiation facility" but not define the underlying syntaxes and semantics (semantices?). I think that we *might* consider defining a negotiation facility but we *need not* do so. The negotiation facility could be defined at a later date, or different ones could be used, without any damage to underlying facilities which support exchange of assertions based on the understanding that they're mutually understood by all parties to the exchange. In the interests of simplicity, therefore, I'd prefer NOT to define negotiation facilities this time around, but leave it as a recognized area for future extensions. --bob Bob Blakley Chief Scientist, Security Tivoli Systems, Inc.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC