Shibboleth Developers

[Ryan Muldoon <>]

A solution that would work nicely, but is infeasible basically because there
would need to be a lot of client modifications, is to forget about
Authentication altogether.  (This is an idea that Eric Norman clued me into)
I can just assert that I'm 
,
 and the service provider
takes my word for it, but any data that it sends back is encrypted against
's
 public key.  If I'm not Ryan Muldoon, I get a lot
of junk.  If I am, I get what I want.  The advantage to this (to somewhat
counter-balance the enormous disadvantage of client issues) is that N-tier
type problems go away.  Backend services don't need to know how I was
credentialed, if the credentials were faked, etc.  Trust models are a lot
simpler, as it is basically reduced to perhaps service providers signing the
envelope as they pass data back, so I know that it came from servers I
trust.  But while this is my favorite solution to such problems, there are
too many client issues.  Which is why PKI makes a lot of sense in these
types of scenarios.

    --Ryan


On 9/24/03 1:19 PM, 
""
 
<>
wrote:

> At 12:27 PM -0400 9/24/03, Scott Cantor wrote:
>>> Abstracting a bit from the particulars of this use case, it might be
>>>  worth considering a model in which a resource manager can initiate a
>>>  request for attributes about an already-authenticated user.
>>>  Instead of attributes being bound to users by virtue of the 
>>> authentication
>>>  process employed, as occurs in shibboleth v1 because of its focus on the
>>>  web browser use case, there would need to be a step in which a resource
>>>  manager asks an origin to search for a user identity based upon whatever
>>>  authenitcation artifacts it has in hand 
>>> (
>>>  in Mark's
>>>  example). Attributes could only be transmitted if that search
>>>  is successful.
>> 
>> There's nothing all that much precluding it, except that the AA currently
>> doesn't support multiple mappings of subject identifier to principal.
>> Nothing very complex to change, though. But authentication is the real
>> problem. How do I convince mod_dav I'm mewilcox?
>> 
> 
> hmmm... finally a use case for  PKI  (-:
> 
> so, I  authn to the webdav server using PKI. Its never heard from me
> before, but, thru the magic of PKI, I'm able to prove my identity.....
> 
> and the cert that I  provide contains the info the target would
> supply back  to the AA....
> 
> when I saw Tom's initial posting, I  had a different question..  an
> AA will release attributes when presented with a SAML authn assertion
> signed by itself (ie the origin)... assuming I  could authn to the
> webdav server using basic auth.... who would sign the authn assertion
> that has to be presented to the AA?
> 
> maybe using PKI, and presenting a cert, would answer this  question, too
> 
> and, as Tom noted, interesting overlap with the grid scenario.......
> 
> 
> 
> 

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--