[OGSA-AUTHZ] Comments: Use of SAML to Retrieve Authorization Credentials

David Chadwick d.w.chadwick at kent.ac.uk
Mon Sep 15 04:39:14 CDT 2008

Hi Tom

Your final comment is about the inability to prove the presence of the 
user. Your proposed solution is "Instead of requiring a DN, the name 
identifier in the query should be generalized to accommodate the entire 

Unfortunately I dont believe that this solves anything, because a 
certificate is generally publicly available information that can be 
copied and used by anyone at any time. If by certificate, you mean the 
end entity certificate, then this is typically valid for a year, so an 
untrustworthy PEP could use this for a year to query the AA at will. If 
the certificate is a proxy certificate, or other short lived 
certificate, which is only valid for a short period of time, say a day, 
then in this case it significantly shortens the period for abuse. But it 
still does not guarantee that

i) the user is currently using the PEP
ii) it is the correct PEP that is making the query (since certificates 
can be copied by anyone).

Furthermore, if a proxy certificate chain is transferred by the PEP to 
the AA, then you are increasing the processing effort of the AA to 
determine who the user is, since it has to validate the entire chain of 
certificates and then remove the trailing RDNs.

So I am not convinced that this is an adequate solution to technically 
remove the need for the AA to trust the PEP. I believe that trust in the 
PEP is adequate for most usage scenarios.



Tom Scavo wrote:
> Please find attached some comments regarding the "Use of SAML to
> Retrieve Authorization Credentials."  I haven't fully reviewed this
> document, but these are the comments I can offer at this time.
> Tom Scavo
> ------------------------------------------------------------------------
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg


David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


More information about the ogsa-authz-wg mailing list