Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Infocard directions

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Infocard directions


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Infocard directions
  • Date: Tue, 08 Jul 2008 08:36:31 +0200
  • Openpgp: id=146B2514
  • Organization: SWITCH



Scott Cantor wrote:
In my organization I see Infocard as an IdP authn method as likely being
more useful in the near term than managed cards (issued by the IdP and
consumed by app RPs), though obviously the latter is where the real
promise of Infocard lies.

Definitely have heard mixed opinions about this, especially since CSv1
doesn't support requiring a PIN on self-issued cards. So do we want people
registering cards that basically make their desktop a permanently
"signed-in" client for SSO? Probably some people would say sure, e.g.
Kerberos sites.

I actually see this as a bit more scary than Kerberos. With Kerb I can control the environment to a degree. I can force certain password quality rules, or timeouts, verify certain things about the computer before allowing it to connect to my KDC if I wanted, etc. None of that would be true in this case. A bad user could have a desktop that does auto-login and no PIN on the card.

To me this would be like a web-based "authentication" mechanism were the user just has to enter their user name. If they get it right, they're "authenticated". I can't believe it, but I think we've stumbled upon an "authentication" mechanism that I dislike even more than IP address based auth. ;)

To the extent that there is anything in Infocard material saying who is
supposed to trust whom (very little, to my knowledge), the common use case

The profiles are definitely written in a manner that strongly communicates a
model in which the IdP is not a vehicle for controlling what the user does
or where they do it. That doesn't mean you can't, but it says to me that
we'll be arguably alone in doing so for now, and may run into limitations if
we push any spec boundaries in trying to do it.

Well, given how nicely MS did on ADFS and its attribute support (hardcoded names and namespaces that require you to write DLLs to add/edit names/namespaces) I'm not sure going a bit beyond what they are thinking is necessarily a bad thing. I do agree that it can cause issues, again as we saw with ADFS. However, we also need to keep in mind that to date MS has had a very bi-lateral view of the world and our community has a very federation-oriented view. This is going to cause some mismatches between what our users want and what MS is doing.


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page