Re: [dix] Re: [Ietf-http-auth] BOF Request: WARP - Web Authentication Resistant to Phishing

Wed, 07 Jun 2006 05:16:13 -0700 

On 6/7/06, Haripriya S <[EMAIL PROTECTED]> wrote:

John,

Looking at the last diagram, and the discussion on keeping the
acquisition of assertions separate from presenting those, I have this
basic question (could also be due to my lack of knowledge of SAML
assertions :-)):

When a user needs to present the identity assertion, and the "over 21
assertion" from the ID agent, what prevents a man-in-the-middle from
mixing and matching assertions? Example: What if I have browser code to
take my ID assertion from the ID agent, and someone else's "Over 21"
assertion (which I probably captured by posing as a replying party), and
passed it on to the replying party. Is this scenario possible? Is there
a restriction on who can present an assertion in the assertion itself?


I think you mean "relying" rather than "replying". And certainly it
can be arranged that a man in the middle cannot present it - for
example, you could have the owner sign the assertion (and have that
signature signed by the issuer of the assertion) and then require them
to prove ownership of the signing key when presenting the assertion.



Thanks and Regards,
Haripriya S.


>>> John Merrells <[EMAIL PROTECTED]> 06/06/06 3:27 am >>>

On 5- Jun- 06, at 2:42 PM, Eric Rescorla wrote:

>
> I'm still not sure I get what you're saying. Let me see if I can
> try again looking at the flows of data.
>
>
> OPTION 1: What I take DIX to be doing

Yes, this interaction diagram is correct.

> Client                     IdP                   Relying Party
>
> -------------------------   Service Please ------------ >
> <-------------------------  Prove you're over 21--------
>
> <------- Auth exchange ------ >
> <-------  Over 21 credential--
>
> <-----------------  Auth exchange plus over 21 cred ---- >

Assuming that at some point earlier the user acquired an over 21
assertion
from an appropriate authority.

Client            Identity Agent                   Authority

-------------------------   Service Please ------------ >
<---  Auth/Verify exchange, maybe even out of band ---- >
<-------  Over 21 credential----------------------------
<---------  Over 21 cred ---- >

John



_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix


_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix



_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix

Reply via email to