shibboleth-dev - RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO"
Subject: Shibboleth Developers
List archive
- From: "Josh Howlett" <>
- To: <>
- Cc: "Josh Howlett" <>
- Subject: RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO"
- Date: Wed, 12 Sep 2007 21:38:34 +0100
Responding to my own post:
> It's been recently pointed out to me that Negotiate (SPNEGO
> over HTTP), which all modern browsers support, is a one-shot
> protocol and so does not support channel bindings or mutual
> authentication of the GSS mechanism (Kerberos, in this case).
> Fixing this would be quite an effort.
>
> Whether or not we care enough about the lack of these
> properties, in this particular context, is another question.
After hitting the 'Send' button, I thought it might be worth expanding
on this point lest that statement comes across as negligent.
The reason I think that the lack of channel bindings and mutual
authentication *might* be moot is that the Kerberos service ticket is
not used for authentication of the principal. The ticket is just be
acting as a discovery cue for boot-strapping a SAML authN assertion
request. In this case, why do channel bindings and mutual authentication
matter?
I am probably going out on a limb here, but it strikes me as analagous
to the way that we don't care about authentication of TLS connection
peers in the front-channel bindings; these aren't part of the trust
fabric that matters.
josh.
- wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Jeff Hodges, 09/11/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Tom Scavo, 09/19/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Scott Cantor, 09/19/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Tom Scavo, 09/19/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Scott Cantor, 09/19/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Tom Scavo, 09/19/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Scott Cantor, 09/19/2007
- <Possible follow-up(s)>
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/12/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Jeff Hodges, 09/12/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/12/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/12/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Scott Cantor, 09/12/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Leif Johansson, 09/27/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/19/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/20/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Scott Cantor, 09/20/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Spencer W. Thomas, 09/27/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/20/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/27/2007
- RE: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Josh Howlett, 09/28/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Spencer W. Thomas, 09/28/2007
- Re: wrt user entry of a pointer to their IDP ..or.. "invisible SSO", Tom Scavo, 09/19/2007
Archive powered by MHonArc 2.6.16.