[OGSA-AUTHZ] Comments: Use of SAML to Retrieve Authorization Credentials

Mon Sep 15 08:17:16 CDT 2008

Hi David,

I don't disagree with anything you've said below.  To solve the
"explicit consent" problem, considerably more work is required than
what I've proposed in my comments.  Before I go any further with this,
the question before the group is: Is this a problem that requires a
solution in the first place?

I'll make one additional comment along these lines.  Suppose the
attribute query crosses administrative boundaries, say, between a grid
VO and a campus AA, where pre-established trust is minimal.  Will a
query that includes a declaration of "implicit consent" be sufficient?
 I don't know the answer to that question but I have a gut feeling the
answer is no, which is why I've raised the issue.

Tom

On Mon, Sep 15, 2008 at 5:39 AM, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
> Hi Tom
>
> Your final comment is about the inability to prove the presence of the user.
> Your proposed solution is "Instead of requiring a DN, the name identifier in
> the query should be generalized to accommodate the entire certificate".
>
> Unfortunately I dont believe that this solves anything, because a
> certificate is generally publicly available information that can be copied
> and used by anyone at any time. If by certificate, you mean the end entity
> certificate, then this is typically valid for a year, so an untrustworthy
> PEP could use this for a year to query the AA at will. If the certificate is
> a proxy certificate, or other short lived certificate, which is only valid
> for a short period of time, say a day, then in this case it significantly
> shortens the period for abuse. But it still does not guarantee that
>
> i) the user is currently using the PEP
> ii) it is the correct PEP that is making the query (since certificates can
> be copied by anyone).
>
> Furthermore, if a proxy certificate chain is transferred by the PEP to the
> AA, then you are increasing the processing effort of the AA to determine who
> the user is, since it has to validate the entire chain of certificates and
> then remove the trailing RDNs.
>
> So I am not convinced that this is an adequate solution to technically
> remove the need for the AA to trust the PEP. I believe that trust in the PEP
> is adequate for most usage scenarios.
>
> regards
>
> David
>
>
>
> Tom Scavo wrote:
>>
>> Please find attached some comments regarding the "Use of SAML to
>> Retrieve Authorization Credentials."  I haven't fully reviewed this
>> document, but these are the comments I can offer at this time.
>>
>> Tom Scavo
>> NCSA
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>>  ogsa-authz-wg mailing list
>>  ogsa-authz-wg at ogf.org
>>  http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>