On Thu, 2007-03-01 at 17:57 +0100, Martin Hierling wrote: > Hi, > > > > You are assuming 100% trust of the proxy to tell you the truth > about > which account it authenticated, without any actual key > exchange. The > potential for disaster here is huge! Of course you have trust > the auth > server in some way, but it is necessary for security-in-depth > to demand > some additional checks every time. > > Yes. Thats the key point behind a single sign on system. You have to > trust your "proxy" or in this case the shibboleth auth server 100%. > But thats the way SSO Systems work. It is the same with kerberos. > When you login you get a "auth token", with that token you get access > to all resources you need/want if you are authorized. Shib is working > the same, when you authenticate you get some "auth token" (i think it > is some form of signed cookie). Clearly the app behind such an auth > mechanism must trust it.
Right. I'm OK with that. It's just a matter of the time it takes to write the code to interface with whatever libraries give us access to the authentication service. I'm not OK with allowing connections originating from a 'trusted' IP address to be able to access any account without a password or some authentication token. You're asking for the NFSv1 security model, which is to say, insecurity model. Aaron _______________________________________________ DBmail mailing list [email protected] https://mailman.fastxs.nl/mailman/listinfo/dbmail
