Skip to Content.
Sympa Menu

shibboleth-dev - Re: the big question at the end of this week's call.....

Subject: Shibboleth Developers

List archive

Re: the big question at the end of this week's call.....


Chronological Thread 
  • From: "Barry R Ribbeck" <>
  • To: Scott Cantor <>
  • Cc: 'Keith Hazelton' <>, 'shib-dev' <>
  • Subject: Re: the big question at the end of this week's call.....
  • Date: Thu, 04 Dec 2003 08:18:48 -0600

All
Scott had spelled out this particular method earlier and it is appealing to me in that I don't have to change the apps so there is a scale value and the process works well within the existing scope of shib. Good code weathers the changing tides well! The authentication context could be a Hippa, DOD or .GOV concern where interactions require a higher LOA. At issue is the ability for the Target to be able to exercise some level of control of access base on authentication methods as opposed to just authorziation assertions. X509 authentication does not necessarily provide LOA and there are additional trusts and processes for LOA that would have to be tested for at the origin and possibly asserted to the Target or a bridge function at the Origin. One thing that I would add is that if x509 is the requirement for the asserted auth method, then it would be useful on the target side to request the authenticator's public key for logging purposes.

My 1.125 cents
Barry


I simply check the auth method header Shib provides me and I know which
policy was used.

This will be much easier when it's part of the protocol, but web servers can
do a lot of this for me today.

Lastly, I'd always warn anyone doing this that I would never attack your
authentication system to crack your medical application. I'd attack your
application's session cookie. As long as the client is a browser, there's
not all that much you can do except to use client certs and check the cert
on every request.

I think a really interesting question is why this authentication context
stuff is so superficially appealing to people. I must be missing something.
;-)

-- Scott


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page