Re: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)

To: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>
Subject: Re: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
From: "Tom Scavo" <trscavo@gmail.com>
Date: Thu, 12 Apr 2007 16:36:07 -0400
Cc: myproxy-users@ncsa.uiuc.edu
Content-disposition: inline
Content-transfer-encoding: 7bit
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ga2ORWTCpdLr2h1uPAsLlcAxwMxY484VDnr+mJ8J2wcJd9tPJaahM5O6t2yl/JdtyVASLlPe6QXU56iuspjNwudSsslt2/rH9nznZLbUpuYpjLJIjkonN35wcZhsONl8uU4P95zdAUrbdiODIe00BsWyaWtYWKen3w//qa08okw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OlI6HcBBGhsf0AJWtVs5aRW43xdrYtbm0vbGid85FUXEX0Xqw5lRLEV4unlkIxyceug7Cb5lwAIozFciVzUqxKSBMEKtjhsXlq2KFV3kt80M+FZJPwqgL6wIbLqrlVRx3mUjmRwIDjMoHTX5Yp1sYsqR1o+VOyiwU0cYsNNCARk=
In-reply-to: <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB199A@laccadive.disanet.disa-u.mil>
References: <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB1995@laccadive.disanet.disa-u.mil> <ea2af9bd0704120740j6ebfbdbfqe350495159e2e57f@mail.gmail.com> <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB199A@laccadive.disanet.disa-u.mil>
Sender: owner-myproxy-users@ncsa.uiuc.edu

On 4/12/07, Friedrichs, Paul D CTR DISA PEO-IAN
<Paul.Friedrichs.ctr@disa.mil> wrote:


I recently read about the use of signed SAML authorization decisions for
delegation. Great idea! I wonder whether this would obviate proxy
authentication credentials. (Your possession of a power of attorney does
not support authentication of you; it is an attribute assertion. Relying
parties would have to authenticate you as the person named in the POA.)


In our case, for the time being at least, the SAML assertion is bound
to a short-term X.509 certificate (EEC or proxy), so the authn
credential and the authz credential are one and the same.

(1) If an intermediary includes a senderVouches SAML
authenticationStatement in the header of a WS-Security-signed message to
a back-end resource, the assertion cannot be captured and played
successfully in another, fake message.


I don't think it's the sender-vouches SubjectConfirmation that
provides this security feature, but rather the WS-Security SAML Token
Profile itself.

But "sender vouches" is
misleading. The sender isn't vouching for anything. (Vouching would be
an attribute assertion.)


As far as I understand it, sender-vouches doesn't have anything to do
with the particular statements in the assertion.  In general,
SubjectConfirmation tells the RP what processing steps it needs to
execute before it can be confident that the assertion (whatever its
content) can be associated with the Subject.  In the case of
sender-vouches, no explicit processing steps are required.

The useful meaning of this assertion would be
"I promise that I have authenticated this entity, and that it is he who
has asked me to make this request. Additionally, I promise to give the
response only to this entity. I promise that I have/will authenticate
the entity in the manner described." The scenario works if this
intermediary is trusted by the relying party to make such claims.


This is precisely the use case we have in mind.  Thanks for describing
it so eloquently!

(2) The fact that an "intermediary" is in possession of proof that an
entity has been authenticated doesn't satisfy me that there is any proof
that this "intermediary" had anything to do with that authentication.


This depends entirely on the use case, I think.  The intermediary may
in fact *not* have had anything to do with the original act of
authentication.  Such is the case with a Shibboleth-enabled Science
Gateway, for example.

Again, I'm worried about man-in-the-middle attacks.


To mitigate this possibility, the issuer of the SAML assertion can
bind the intermediary's key to the assertion using holder-of-key
SubjectConfirmation (or otherwise bind something that the RP can use
to obtain a key).  In our case, though, this is not an issue since the
RP trusts the intermediary implicitly.

So generally, I think (1) is a correct, but potentially dangerous and
usually inappropriate, business model, but (2) is faulty technology.


All depends on the use case.  In some cases, you can have your cake
and eat it, too ;-)

I am interested in the use of SAML authorization decisions for
delegation and plan to pull this string at this end.


Great!  We're interested in your use case, so please keep us posted as
it develops.

Thanks,
Tom

References:
- Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
  - From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>
- Re: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
  - From: "Tom Scavo" <trscavo@gmail.com>
- RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
  - From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>

Prev by Date: RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
Next by Date: Re: Seamlessness of Delegation (UNCLASSIFIED)
Previous by thread: RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
Next by thread: Seamlessness of Delegation (UNCLASSIFIED)

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index