Hi Tom Your final comment is about the inability to prove the presence of the user. Your proposed solution is "Instead of requiring a DN, the name identifier in the query should be generalized to accommodate the entire certificate". Unfortunately I dont believe that this solves anything, because a certificate is generally publicly available information that can be copied and used by anyone at any time. If by certificate, you mean the end entity certificate, then this is typically valid for a year, so an untrustworthy PEP could use this for a year to query the AA at will. If the certificate is a proxy certificate, or other short lived certificate, which is only valid for a short period of time, say a day, then in this case it significantly shortens the period for abuse. But it still does not guarantee that i) the user is currently using the PEP ii) it is the correct PEP that is making the query (since certificates can be copied by anyone). Furthermore, if a proxy certificate chain is transferred by the PEP to the AA, then you are increasing the processing effort of the AA to determine who the user is, since it has to validate the entire chain of certificates and then remove the trailing RDNs. So I am not convinced that this is an adequate solution to technically remove the need for the AA to trust the PEP. I believe that trust in the PEP is adequate for most usage scenarios. regards David Tom Scavo wrote:
Please find attached some comments regarding the "Use of SAML to Retrieve Authorization Credentials." I haven't fully reviewed this document, but these are the comments I can offer at this time.
Tom Scavo NCSA
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************