[OGSA-AUTHZ] [Fwd: Re: Draft XACML/SAML Protocol Profile]
Chad La Joie
chad.lajoie at switch.ch
Wed Dec 12 08:04:05 CST 2007
Sorry, didn't send this to the whole list.
-------- Original Message --------
Subject: Re: [OGSA-AUTHZ] Draft XACML/SAML Protocol Profile
Date: Wed, 12 Dec 2007 14:59:03 +0100
From: Chad La Joie <chad.lajoie at switch.ch>
Organization: SWITCH
To: David Chadwick <d.w.chadwick at kent.ac.uk>
References: <475418B0.5050003 at switch.ch>
<ea2af9bd0712091902p1b5547efv2d25c40e2b6b535c at mail.gmail.com>
<475CD07F.1050307 at switch.ch>
<ea2af9bd0712100636l7f2c4ce4je88a6ecdd01194f2 at mail.gmail.com>
<475D6EF7.504 at switch.ch> <475EBFCE.5030300 at kent.ac.uk>
No, no confusion. I was referring to a very specific requirement,
integrity, which is orthagonal to authentication. It happens that the
most common mechanism we use for confidentiality and integrity, SSL/TLS,
*may* also provide a means for authenticating the client as well. It is
not required and it not doing does not change the integrity properties
of that mechanism.
David Chadwick wrote:
> Hi Chad
>
> from your long response I do believe that you are confusing integrity
> with authenticity. Can you tell me which integrity mechanism you are
> thinking of that provides message integrity without any ability for the
> recipient to determine who the sender is.
>
> regards
>
> David
>
> Chad La Joie wrote:
>> Let me address confidentiality and integrity requirements separately.
>>
>> XACML authorization decision requests *and* responses may carry XACML
>> request contexts. These contexts can contain sensitive information
>> about individuals. Such information can not be distinguished by
>> requester/responder software. The only way then to ensure the
>> protection of such information is to always require that some form of
>> confidentiality be in place. This is also why the requester/responder
>> is not allowed to forward assertion onto parties for which it was not
>> intended.
>>
>> Likewise the policy response may contain sensitive information, in
>> most cases the sensitivity will likely stem from the ability to
>> examine and exploit the policy under which the PDP will operate, but
>> other issues may be present as well. While we certainly hope that
>> deployers won't have holes in their policies, the complexity of XACML
>> makes it likely that such holes will occur. Providing all the
>> information necessary for an attacker to take advantage of such holes
>> posses an unnecessary risk; a risk that is easily mitigated by
>> confidentiality requirements.
>>
>> Integrity is required within the authorization decision request so
>> that an attacker can not manipulate the content of the request in
>> order to produce a positive authorization decision. While a PEP may
>> be able to detect this if the XACML request context is returned by the
>> PDP it is unlikely that the context will be returned in the response.
>> The authorization decision response needs to be protected because the
>> response may simply be a "yes" or a "no". The PEP has no way to
>> determine if the message was changed in transit. Also, note, that
>> even if the responder did return the request context, allowing the PEP
>> to verify that the request was not altered, such a check is
>> meaningless without response integrity checking.
>>
>> An integrity mechanism is required on a policy request to prevent a
>> third party from intercepting the request and altering the policy
>> requirements such that a more lax policy is returned. It is required
>> on the response to prevent that the policy itself from being altered.
>>
>> Tom Scavo wrote:
>>> On Dec 10, 2007 12:37 AM, Chad La Joie <chad.lajoie at switch.ch> wrote:
>>>> Tom Scavo wrote:
>>>>> I'm sure you know this but if you change all the normative language
>>>>> regarding <saml:Issuer> from SHOULD to MUST, you essentially end up
>>>>> with the Assertion Query/Request Profile in section 6 of the SAML V2.0
>>>>> Profiles spec:
>>>>>
>>>>> http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
>>>> Yes, it's supposed to be very similar to the query/request profile.
>>>>
>>>>> So the obvious question is why did you change the language regarding
>>>>> <saml:Issuer>?
>>>> The responder needs to know who is making the request.
>>> Well, this is straightforward query, so your profile can (and probably
>>> should) build on the Assertion Query/Request Profile (which requires
>>> <saml:Issuer>). In that case, the profile reduces to little more than
>>> section 3.
>>>
>>>>> Overall, your profile is a curious blend of more restrictive / less
>>>>> restrictive language with respect to the profiles it depends on. The
>>>>> stated requirements on <saml:Issuer> are an example of the latter.
>>>>> The security requirements in section 3 seem to be an example of the
>>>>> former. In particular, I find it odd that integrity and
>>>>> confidentiality are MUSTs, yet authentication is SHOULD. Can you say
>>>>> a few words about that (beyond what's already written in the
>>>>> document)?
>>>> Why would you find it odd that security requests/responses require
>>>> integrity and confidentiality mechanisms? They are required because
>>>> not
>>>> doing them makes the request/response completely untrustwothy.
>>>>
>>>> In regards to authentication, this one I went back and forth on. I
>>>> personally think the requester and responder should always be mutually
>>>> authenticated, but I could imagine cases where deployers had a more lax
>>>> view, especially on the policy request. So, I just left it as a SHOULD
>>>> so that individual deployments could choose not to do it, if they
>>>> wanted.
>>> Section 6.1 of [SAMLSecure] addresses the security implications of the
>>> SAML SOAP Binding. In addition, section 3.1.2 of the SAML Bindings
>>> specification [SAMLBind] provides further security guidelines
>>> regarding SAML bindings. Taken together, these security
>>> considerations adequately address this use case, I think. Additional
>>> requirements with respect to integrity and confidentiality have not
>>> been justified.
>>>
>>> Tom
>>
>
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie at switch.ch, http://www.switch.ch
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie at switch.ch, http://www.switch.ch
More information about the ogsa-authz-wg
mailing list