RE: [TLS] Authorization extension test server available

To: Russ Housley <housley at vigilsec.com>, Simon Josefsson <simon at josefsson.org>, <tls at ietf.org>
Subject: RE: [TLS] Authorization extension test server available
From: Ari Medvinsky <arimed at windows.microsoft.com>
Date: Thu, 22 Feb 2007 08:50:27 -0800
Cc:
In-reply-to: <E1HKGVH-000286-PH@megatron.ietf.org>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <87tzxeilse.fsf@latte.josefsson.org> <E1HKGVH-000286-PH@megatron.ietf.org>
Thread-index: AcdWnCL/nElka6/rTlK7fD4ze4JcegABOSeQ
Thread-topic: [TLS] Authorization extension test server available

It is a good idea to increase the size for SAML to be more then 64k -
note that just the XML Dig Sig on a SAML assertion is around 16K; then
within the SAML assertion you can have any number of attribute
statements, etc.

Ari Medvinsky
Sr. Program Manager
Windows Security

-----Original Message-----
From: Russ Housley [mailto:housley at vigilsec.com] 
Sent: Thursday, February 22, 2007 8:02 AM
To: Simon Josefsson; tls at ietf.org
Subject: Re: [TLS] Authorization extension test server available

Simon:

>Hi all!  GnuTLS now supports the TLS authorization extension, and I'm
>wondering if anyone is interested in interop testing of this feature?
>
>Our public test server supports RFC 4680 and
>draft-housley-tls-authz-extns-07 in case someone wants to point their
>clients towards a server:
>
>http://www.gnu.org/software/gnutls/server.html

Very cool.

>It may be too late to change the specifications, but my comments after
>implementing this were:
>
>- The size of authorization data, i.e., X.509 attribute certs and SAML
>   assertions, are limited to 64kb.  Is it certain that we won't need
>   more?

I have little experience with SAML, but 64K is a lot of space for 
attribute certificates.

>- There is no discussion on authorization failures.  Should the
>   handshake be aborted?  This is complicated by the fact that the
>   authorization data is sent _before_ authentication data.  Typically
>   you wait until authentication is complete before processing
>   authorization data.

We discussed this while developing the specification.  The current 
document is the cleanest way to use the extension mechanism that we 
could devise.  And, no one offered a better alternative during the 
review process.  Of course, implementation and deployment experience 
may show us a better way.

If the authorization requirements are not satisfied, then the TLS 
session should be shutdown.  I would expect the access_denied fatal 
alert to be used.

Russ


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Authorization extension test server available
  - From: Simon Josefsson

Prev by Date: Re: [TLS] Authorization extension test server available
Next by Date: [TLS] Fwd: I-D ACTION:draft-nir-tee-pm-00.txt
Previous by thread: Re: [TLS] Authorization extension test server available
Next by thread: [TLS] Fwd: I-D ACTION:draft-nir-tee-pm-00.txt
Index(es):
- Date
- Thread

RE: [TLS] Authorization extension test server available

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.