[OGSA-AUTHZ] Comments: Use of SAML to Retrieve Authorization Credentials

David Chadwick d.w.chadwick at kent.ac.uk
Mon Sep 15 09:50:25 CDT 2008 

Hi Tom

concerning your comment 1b. X.509 authentication is assumed, I am 
slightly confused by this one.

The whole purpose of the OASIS SAML V2.0 Deployment Profiles for X.509 
Subjects is that quote "it specifies how a principal who has been issued 
an X.509 identity certificate is represented as a SAML Subject, how an 
assertion regarding such a principal is produced and consumed,..."

It would therefore be perverse, would it not, to assume that a principal 
with an X.059 certificate should use any other method to authenticate to 
the IDP/AA.

Your proposed solution does use the X.509 certificate to authenticate, 
since you need to be sure that the caller possesses the private key that 
matches the public key in the certificate. Therefore the AA/IDP does 
know the DN of the user (providing it trusts the CA that issued the 
cert). If the AA/IDP does not trust the CA, then the user might as well 
issue self signed certificates. But the OASIS spec says "has been issued 
an X.509 certificate" so we can assume that the CA is known and trusted. 
But what you appear to be concerned about is that the public key and DN 
in the certificate are unknown to the IDP/AA, therefore the latter is 
unable to authenticate the caller *as being one of its existing users*, 
so does not know which attributes to release to him/her. But the IDP/AA 
can still authenticate the user. It is just that the user is unknown to 
it. Therefore one solution would be for the CA that issued the 
presumably short lived certificate with a random DN (if it was a long 
lived certificate then the AA/IDP could use the DN as its user 
identifier) to also insert into the certificate the username/identifier 
of the user that is known to the AA/IDP. In this way the AA/IDP can know 
that the caller holds the private key, and is known by the particular 
username in the certificate. Would this solve your problem?

regards

David



Tom Scavo wrote:
> Please find attached some comments regarding the "Use of SAML to
> Retrieve Authorization Credentials."  I haven't fully reviewed this
> document, but these are the comments I can offer at this time.
> 
> Tom Scavo
> NCSA
> 
> 
> ------------------------------------------------------------------------
> 
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list