[TLS] Re: Comments on draft-housley-tls-authz-extns-07

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Simon Josefsson <simon at josefsson.org> writes:

>Hold on!  Tls-authz isn't about authentication.  It is about authorization.

Oh, I see, so it's meant purely for authorisation and not as a general-purpose
container for auth*ation exchanges.  That's fine then.

There is one other problem with the draft and that's the presence of the
x509_attr_cert_url and saml_assertion_url mechanisms.  I think building
firewall-traversal proxy/DDoS-amplifier functionality into a security spec
probably isn't a very good idea.  Maybe these should be removed, I can't see
how you can secure a mechanism in which your server is meant to perform
arbitrary network access under the control of an untrusted client.

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls