RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Thursday, April 12, 2007 10:40 AM
> To: Friedrichs, Paul D CTR DISA PEO-IAN
> Cc: myproxy-users@ncsa.uiuc.edu
> Subject: Re: Least Privilege & Special Powers of Attorney
> (UNCLASSIFIED)
...
> One approach is to embed SAML assertions containing
> authorization decision statements in a non-critical
> certificate extension. In another project, we are using this
> technique to push authentication statements and attribute
> statements to relying parties, but I think authorization
> decision statements could be used in a similar way to limit
> the privileges associated with proxy certificates.
I recently read about the use of signed SAML authorization decisions for
delegation. Great idea! I wonder whether this would obviate proxy
authentication credentials. (Your possession of a power of attorney does
not support authentication of you; it is an attribute assertion. Relying
parties would have to authenticate you as the person named in the POA.)
A primary benefit of proxy authentication credentials seems to be that
the proxy can act anonymously, without the relying party needing to know
who the proxy is. But if the principal can name the proxy (in the signed
SAML authorization decision), the proxy can be authenticated normally.
And these decisions can be chained just as proxy credentials can.
The primary reason I am so interested in MyProxy is the variety of ways
SAML authentication statements are being used in N-tier situations.
(1) If an intermediary includes a senderVouches SAML
authenticationStatement in the header of a WS-Security-signed message to
a back-end resource, the assertion cannot be captured and played
successfully in another, fake message. But "sender vouches" is
misleading. The sender isn't vouching for anything. (Vouching would be
an attribute assertion.) The useful meaning of this assertion would be
"I promise that I have authenticated this entity, and that it is he who
has asked me to make this request. Additionally, I promise to give the
response only to this entity. I promise that I have/will authenticate
the entity in the manner described." The scenario works if this
intermediary is trusted by the relying party to make such claims. The
relying party must understand that *any* such claims could be made by
this "intermediary."
(2) The fact that an "intermediary" is in possession of proof that an
entity has been authenticated doesn't satisfy me that there is any proof
that this "intermediary" had anything to do with that authentication.
Again, I'm worried about man-in-the-middle attacks.
So generally, I think (1) is a correct, but potentially dangerous and
usually inappropriate, business model, but (2) is faulty technology.
We are not "propagating" or "passing" authentication. The intermediary
is either working for the user or working for the back end. The
challenge is most fundamentally delegation, not authentication. Other
scenarios include intermediaries that simply introduce and step aside,
retailers who merely pass authenticate-able and/or encrypted products,
etc. The N-tier scenario isn't a single challenge with a
one-size-fits-all solution. We are trying to understand the discrete
possible business scenarios and support each.
I am interested in the use of SAML authorization decisions for
delegation and plan to pull this string at this end.
Many Thanks
Classification: UNCLASSIFIED
Caveats: NONE