shibboleth-dev - "urlauth" proposal
Subject: Shibboleth Developers
List archive
- From: "RL 'Bob' Morgan" <>
- To: Shibboleth Dev Team <>
- Subject: "urlauth" proposal
- Date: Mon, 10 Nov 2003 13:19:17 -0600 (CST)
Let me just toss this into the bin as something to think about (as if we
need any more to think about). There's an internet-draft:
draft-crispin-imap-urlauth-04.txt
that proposes an interesting mechanism to solve a problem in the email
space (in the context of the IETF "lemonade" WG,
http://www.ietf.org/html.charters/lemonade-charter.html). That problem,
summarized, is that an email user may want to forward a large item from
their message store without downloading that item to their client (eg
because of low bandwidth). A possible solution is to permit the server to
which the message-to-be-sent is submitted (the "submit server" or
"composition server") to complete the composition of the message by
fetching the large to-be-included item from the user's message store
itself. This requires the submit-server to get access to the user's
message store, without necessarily giving it complete access. More or
less a classic use case of restricted delegation.
The proposed scheme is to create a "pawn ticket", using keyed HMAC, and
provide a new IMAP command that can use this token, appended to a URL, to
fetch the item referenced by this (imap:) URL. This can be used with or
without plain old SASL-based authentication.
From a SAML/webiso point of view I think we can recognize the utility of
sticking something at the end of a URL to add security properties to the
request.
Many generalizations of this are possible (and were discussed at the IETF
apps area meeting this morning), including:
* provide a "scheme=" slot to permit the selection of any of a number of
possible authz token formats (not unlike SASL mechanism selection);
from the Shib/SAML point of view a SAML assertion could be used for
this;
* applicability of this approach to other protocols, eg webdav, where
approaches like this have been suggested:
(http://www.sharemation.com/~milele/public/dav/draft-ito-dav-ticket-00.txt)
* providing a slot in URIs in general for inclusion of authz tokens (not
unlike the current username slot).
I guess that discussion of this is taking place on the lemonade WG list
(which I'm not on). There might be interest in setting up a new list for
discussion of authz-tokens-in-general, or something like that ...
- RL "Bob"
- "urlauth" proposal, RL 'Bob' Morgan, 11/10/2003
- anybody else in Minneapolis?, Mark Wilcox, 11/11/2003
- Re: anybody else in Minneapolis?, Derek Atkins, 11/11/2003
- anybody else in Minneapolis?, Mark Wilcox, 11/11/2003
Archive powered by MHonArc 2.6.16.