>>>>> "Bernard" == Bernard Aboba <[email protected]> writes:
Bernard> Let me ask a potentially stupid question: Why can't we send
Bernard> a URL pointing to the {SAML Assertion, Certificate} instead
Bernard> of sending the data itself?
Hi.
First, I'm a little nervous about a SAML specific proposal.
In Kerberos, we found that even with compact representations of
authorization data, when people really start taking advantage of dynamic
authorization, the authorization data can get large.
Kerberos ended up choosing to use TCP to solve its fragmentation issues.
I suspect that SAML is only the most discussed use case for a
fragmentation solution.
However, let's explore URIs for SAML.
so, several of us do not want to assume a PKI shared between the NAS
and the home AAA server.
That is, we want to bootstrap our trust based on the AAA fabric.
(Note that some subset of that us wants to do interesting things to
bootstrap AAA trust, but that also fails to involve a PKI).
SAML assertions are not always public.
That is, we may be unwilling to disclose a SAML assertion without
authorization.
So, we need to accomplish the following:
1) Prove authorization to get the SAML assertion
2) Protect the integrity of the SAML assertion
3) Provide optional confidentiality for the SAML assertion. (several of
us want to use SAML with RADSEC)
In addition, in several of these cases, the SAML assertion is generated
as a dynamic artifact of the authentication, so you have to introduce
the complexity of storing the SAML assertion for a while.
URLs aren't very good at providing confidentiality and integrity unless
you happen to share a PKI in common with the authority referenced in the
URI.
It's possible to design a solution based on references that meets these
constraints. I think we discussed that in ABFAB, and that's definitely
not where we ended up.
I think that if someone wants to pursue a URI-based approach it would be
best to have a concrete proposal on the table.
Possibly something that included a URI and a hash of the content.
Except that alone is not good enough because if knowing the URI is the
authorization to get the assertion, how do you provide authentication of
the server prior to disclosing the URI without depending on a shared
PKI?
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
