Skip to Content.
Sympa Menu

shibboleth-dev - Re: OS X info, webDAV use case

Subject: Shibboleth Developers

List archive

Re: OS X info, webDAV use case


Chronological Thread 
  • From: Ryan Muldoon <>
  • To: <>, <>
  • Subject: Re: OS X info, webDAV use case
  • Date: Wed, 24 Sep 2003 13:40:50 -0400

A solution that would work nicely, but is infeasible basically because there
would need to be a lot of client modifications, is to forget about
Authentication altogether. (This is an idea that Eric Norman clued me into)
I can just assert that I'm
,
and the service provider
takes my word for it, but any data that it sends back is encrypted against
's
public key. If I'm not Ryan Muldoon, I get a lot
of junk. If I am, I get what I want. The advantage to this (to somewhat
counter-balance the enormous disadvantage of client issues) is that N-tier
type problems go away. Backend services don't need to know how I was
credentialed, if the credentials were faked, etc. Trust models are a lot
simpler, as it is basically reduced to perhaps service providers signing the
envelope as they pass data back, so I know that it came from servers I
trust. But while this is my favorite solution to such problems, there are
too many client issues. Which is why PKI makes a lot of sense in these
types of scenarios.

--Ryan


On 9/24/03 1:19 PM,
""

<>
wrote:

> At 12:27 PM -0400 9/24/03, Scott Cantor wrote:
>>> Abstracting a bit from the particulars of this use case, it might be
>>> worth considering a model in which a resource manager can initiate a
>>> request for attributes about an already-authenticated user.
>>> Instead of attributes being bound to users by virtue of the
>>> authentication
>>> process employed, as occurs in shibboleth v1 because of its focus on the
>>> web browser use case, there would need to be a step in which a resource
>>> manager asks an origin to search for a user identity based upon whatever
>>> authenitcation artifacts it has in hand
>>> (
>>> in Mark's
>>> example). Attributes could only be transmitted if that search
>>> is successful.
>>
>> There's nothing all that much precluding it, except that the AA currently
>> doesn't support multiple mappings of subject identifier to principal.
>> Nothing very complex to change, though. But authentication is the real
>> problem. How do I convince mod_dav I'm mewilcox?
>>
>
> hmmm... finally a use case for PKI (-:
>
> so, I authn to the webdav server using PKI. Its never heard from me
> before, but, thru the magic of PKI, I'm able to prove my identity.....
>
> and the cert that I provide contains the info the target would
> supply back to the AA....
>
> when I saw Tom's initial posting, I had a different question.. an
> AA will release attributes when presented with a SAML authn assertion
> signed by itself (ie the origin)... assuming I could authn to the
> webdav server using basic auth.... who would sign the authn assertion
> that has to be presented to the AA?
>
> maybe using PKI, and presenting a cert, would answer this question, too
>
> and, as Tom noted, interesting overlap with the grid scenario.......
>
>
>
>

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page