Skip to Content.
Sympa Menu

shibboleth-dev - RE: OS X info, webDAV use case

Subject: Shibboleth Developers

List archive

RE: OS X info, webDAV use case


Chronological Thread 
  • From: Scott Cantor <>
  • To: ,
  • Subject: RE: OS X info, webDAV use case
  • Date: Wed, 24 Sep 2003 17:28:02 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> hmmm... so currently the HS provides a "hard to guess, secret value"
> to the target, and the target uses this to refer to a user, when
> retrieving attributes......

Basically, yes. Mostly the AA is just a PKI-authenticated attribute service.
The handle obfuscation is not really an access control mechanism for data
release.

> if the target doesn't have such a value, but does have publicly
> available information (eg a userid, a cert), is there a technical
> solution the AA can use to satisfy itself that this is a valid
> request? Or does it have to rely on policy (ie I know this SHAR, and
> it has agreed to behave....)

I don't think there's anything obvious. We *could* have chosen to include
the SSO assertion as proof of presence (maybe we'll do that if SAML
clarifies what you can really do with an SSO assertion), but taking that
away, I don't see much is left, unless you involve the client. If you get
the cert holder to sign something, then you've got proof of posession of a
public key you could match up. Without certs, you could do it with
Kerberos/GSS-API too, I suppose.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page