[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile

Chad La Joie chad.lajoie at switch.ch
Sun Dec 9 23:37:03 CST 2007 

Tom Scavo wrote:
> I'm sure you know this but if you change all the normative language
> regarding <saml:Issuer> from SHOULD to MUST, you essentially end up
> with the Assertion Query/Request Profile in section 6 of the SAML V2.0
> Profiles spec:
> 
> http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Yes, it's supposed to be very similar to the query/request profile.

> So the obvious question is why did you change the language regarding
> <saml:Issuer>?

The responder needs to know who is making the request.

> Overall, your profile is a curious blend of more restrictive / less
> restrictive language with respect to the profiles it depends on.  The
> stated requirements on <saml:Issuer> are an example of the latter.
> The security requirements in section 3 seem to be an example of the
> former.  In particular, I find it odd that integrity and
> confidentiality are MUSTs, yet authentication is SHOULD.  Can you say
> a few words about that (beyond what's already written in the
> document)?

Why would you find it odd that security requests/responses require 
integrity and confidentiality mechanisms?  They are required because not 
doing them makes the request/response completely untrustwothy.

In regards to authentication, this one I went back and forth on.  I 
personally think the requester and responder should always be mutually 
authenticated, but I could imagine cases where deployers had a more lax 
view, especially on the policy request.  So, I just left it as a SHOULD 
so that individual deployments could choose not to do it, if they wanted.

> Finally, the restriction on lines 178--180 seems to contradict
> sections 6.1 and 7 of the SAML-XACML profile.  Why restrict carte
> blanche the proxying of the <saml:Assertion> by the requester?  Not
> only does that contradict the SAML-XACML profile but it's clearly out
> of scope for your use case.

There is no contradiction here and there is no proxying.  Instead, this 
simply states that if an attribute authority provides attributes that 
party can't then pass them around to others.  I know you're in favor of 
this model, I am not.

For those that aren't subscribed to one of the many lists on which this 
issue has been brought up, let me outline the basics.  These assertions 
carry potentially sensitive information about a user.  Most attribute 
authorities contain the ability to control the release of this 
information on a per-party basis (i.e. A can see/request the sensitive 
information but B may not).  A service which passed the information it 
received onto another service circumvents the attribute authority and 
its policies.

It's interesting that Tom brings up proxying.  I heard many a discussion 
about this exact same problem, in regards to proxy credentials, at the 
last two middleware design meetings I attended.  There are ways to 
securely allow one service to impersonate a user to another service, but 
it requires the active participation of the entity(ies) responsible for 
the user.  Circumventing these entities may be much easier but it isn't 
secure.

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie at switch.ch, http://www.switch.ch

More information about the ogsa-authz-wg mailing list