[OGSA-AUTHZ] Comments: Use of SAML to Retrieve Authorization Credentials
David Chadwick
d.w.chadwick at kent.ac.uk
Mon Sep 15 09:50:25 CDT 2008
Hi Tom
concerning your comment 1b. X.509 authentication is assumed, I am
slightly confused by this one.
The whole purpose of the OASIS SAML V2.0 Deployment Profiles for X.509
Subjects is that quote "it specifies how a principal who has been issued
an X.509 identity certificate is represented as a SAML Subject, how an
assertion regarding such a principal is produced and consumed,..."
It would therefore be perverse, would it not, to assume that a principal
with an X.059 certificate should use any other method to authenticate to
the IDP/AA.
Your proposed solution does use the X.509 certificate to authenticate,
since you need to be sure that the caller possesses the private key that
matches the public key in the certificate. Therefore the AA/IDP does
know the DN of the user (providing it trusts the CA that issued the
cert). If the AA/IDP does not trust the CA, then the user might as well
issue self signed certificates. But the OASIS spec says "has been issued
an X.509 certificate" so we can assume that the CA is known and trusted.
But what you appear to be concerned about is that the public key and DN
in the certificate are unknown to the IDP/AA, therefore the latter is
unable to authenticate the caller *as being one of its existing users*,
so does not know which attributes to release to him/her. But the IDP/AA
can still authenticate the user. It is just that the user is unknown to
it. Therefore one solution would be for the CA that issued the
presumably short lived certificate with a random DN (if it was a long
lived certificate then the AA/IDP could use the DN as its user
identifier) to also insert into the certificate the username/identifier
of the user that is known to the AA/IDP. In this way the AA/IDP can know
that the caller holds the private key, and is known by the particular
username in the certificate. Would this solve your problem?
regards
David
Tom Scavo wrote:
> Please find attached some comments regarding the "Use of SAML to
> Retrieve Authorization Credentials." I haven't fully reviewed this
> document, but these are the comments I can offer at this time.
>
> Tom Scavo
> NCSA
>
>
> ------------------------------------------------------------------------
>
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list