Skip to Content.
Sympa Menu

shibboleth-dev - RE: OS X info, webDAV use case

Subject: Shibboleth Developers

List archive

RE: OS X info, webDAV use case


Chronological Thread 
  • From: Scott Cantor <>
  • To: ,
  • Subject: RE: OS X info, webDAV use case
  • Date: Wed, 24 Sep 2003 13:32:45 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> so, I authn to the webdav server using PKI. Its never heard from me
> before, but, thru the magic of PKI, I'm able to prove my identity.....

Ok, fair enough. I guess it's the cert->target scenario we've seen before,
with the advantage again being that if the target hands the cert to the AA
and defers to it for validation, you sidestep the usual problems (leaving
only the fact that client certs are a...you know).

> and the cert that I provide contains the info the target would
> supply back to the AA....

Has to be the cert itself. Without that, you have to validate the info in
the cert yourself.

> when I saw Tom's initial posting, I had a different question.. an
> AA will release attributes when presented with a SAML authn assertion
> signed by itself (ie the origin)...

Well, so that's the trick...right now, knowing the handle is deemed proof of
"presence" such that the AA will release attributes. That's not the same
thing as presenting the authn assertion. We don't do that now either.

> assuming I could authn to the
> webdav server using basic auth.... who would sign the authn assertion
> that has to be presented to the AA?

We don't do this now, so there's nothing to compare with. One option is that
proof of presence might be something you can toggle in the ARP. Liberty
attribute services are more or less like that.

> maybe using PKI, and presenting a cert, would answer this
> question, too

Well, it doesn't prove anything, really, since the cert's public. If I trust
the SHAR to not just hand me a cert for fun, it works. The handle scheme
isn't really secure per se by design, but it puts the onus on a bad SHAR to
invent a valid handle. In the crypto handle case, that's a fairly secure
cross check.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page