Aaron Stone wrote:
>> to all resources you need/want if you are authorized. Shib is 
>> working the same, when you authenticate you get some "auth token" 
>> (i think it is some form of signed cookie). Clearly the app behind 
>> such an auth mechanism must trust it.
> 

Actually Shibboleth is just a wrapper around a SSO server like CAS.

>>> The Shibboleth IdP does not include an SSO functionality, so 
>>> authentication has to be handled outside of the IdP by means of 
>>> an SSO system (like CAS for Tomcat or Pubcookie for Apache) or 
>>> Tomcat authentication.
http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/idp/install-idp-1.3-debian.html#overview

CAS:
http://www.ja-sig.org/products/cas/index.html

A very complex dance is involved in authenticating a user's browser, the
SSO service, the webmail service and the IMAP backend against each other
while maintaining security against man-in-the-middle attacks.
http://www.ja-sig.org/products/cas/overview/cas2_architecture/index.html

> Right. I'm OK with that. It's just a matter of the time it takes to 
> write the code to interface with whatever libraries give us access to
>  the authentication service.

BUT: not only does DBMail have to be extended with a CAS authentication
plugin. Also the webmail server of choice has to be CASified and this is
actually the hardest work, since it has to implement a full-fledged
security proxy talking with the browser, the SSO, *and* DBMail.
http://www.ja-sig.org/products/cas/client/index.html

> I'm not OK with allowing connections originating from a 'trusted' IP
>  address to be able to access any account without a password or some
>  authentication token. You're asking for the NFSv1 security model, 
> which is to say, insecurity model.

Aye. An SSO service is, by definition, deployed in a multi-user,
multi-service environment. You can't ignore the inherent complexity of
such an environment and the challenges involved without fatally
compromising security.

:*CU#
-- 
***    Guido A.J. Stevens      ***    mailto:[EMAIL PROTECTED]   ***
***    Net Facilities Group    ***    tel: +31.43.3618933   ***
***    Postbus 1143            ***    fax: +31.43.3561655   ***
***    6201 BC  Maastricht     ***    http://www.nfg.nl     ***

Fiber-optic networks physically instantiate and thus explode
enlightenment.
[ Chun, Control And Freedom, p.98 ]
_______________________________________________
DBmail mailing list
[email protected]
https://mailman.fastxs.nl/mailman/listinfo/dbmail

Reply via email to