[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
RE: [higgins-dev] Demo post-mortem
|
I have called them already, I hope this incident does not mess up your
holidays, but it had to be done
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Jim Sermersheim"
<jimse@xxxxxxxxxx
> To
Sent by: higgins-dev-bounces@xxxxxxxxxxx
higgins-dev-bounc cc
es@xxxxxxxxxxx "'Higgins (Trust Framework) Project
developer discussions'"
<higgins-dev@xxxxxxxxxxx>
12/15/2006 12:24 Subject
PM RE: [higgins-dev] Demo post-mortem
Please respond to
"Higgins \(Trust
Framework\)
Project developer
discussions"
<higgins-dev@ecli
pse.org>
Eek! Token abuse!
Now I'm trembling in fear that Token Protective Services might get wind of
this and we'll be faced with an onslaught of TPS reports.
>>> Anthony Nadalin <drsecure@xxxxxxxxxx> 12/15/06 10:53 AM >>>
I think that this is abuse of the token used to authenticate to the STS,
this is where we may actually have to profile something, and that being
having multiple tokens in the message and having a STR "usage" attribute,
so one token can be used by the STS and the other token used by the
context provider.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Inactive hide details for "Jim Sermersheim" <jimse@xxxxxxxxxx>"Jim
Sermersheim" <jimse@xxxxxxxxxx>
"Jim
Sermersh
eim"
<jimse@n
ovell.co To
m>
Sent by: higgins-dev-bounces@xxxxxxxxxxx
higgins-
dev-boun cc
ces@ecli
pse.org "'Higgins (Trust Framework)
Project developer discussions'"
<higgins-dev@xxxxxxxxxxx>
12/14/20
06 11:45 Subject
AM
RE: [higgins-dev] Demo
post-mortem
Please respond to
"Higgins \(Trust Framework\)
Project developer discussions"
<higgins-dev@xxxxxxxxxxx>
Tony, this reply is maybe moving us away from the thread topic, but in the
IIW demo, we did use the STS as an authN service to a small degree.
In that model, there was stuff in the token request (name/pw) which was
used by the STS to open a context and read that user's attributes The
trust model/contract between the RP and the STS (in a model like this) is
such that by virtue of a valid, signed token being received by the RP, the
RP may assume that the user did what they needed to do to authN (to the
degree needed to fetch their attributes). This level of authN may be just
what the RP needs.
(note that RP did need to do a subsequent authN to the wiki for the demo,
but that doesn't mean the above model is invalid)
Jim
>>> Anthony Nadalin <drsecure@xxxxxxxxxx> 12/14/06 9:34 AM >>>
Please explain, as STS is not an Authentication service, also the STS can
issue self signed tokens today, are you talking about supporting the
concept of "personal cards" ?
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Daniel Sanders" <dsanders@xxxxxxxxxx>
"Daniel Sanders"
<dsanders@xxxxxxxxxx>
Sent by:
higgins-dev-bounces@xxxxxxxxxxx To
"'Higgins (Trust
12/14/2006 09:59 AM Framework) Project
developer discussions'"
<higgins-dev@xxxxxxxxxx
g>
Please respond to
"Higgins \(Trust Framework\) Project cc
developer discussions"
<higgins-dev@xxxxxxxxxxx>
Subject
RE: [higgins-dev] Demo
post-mortem
I wonder if during the call there would be time to discuss a next
potential step for the STS - supporting the other authentication methods
of CardSpace? I am specifically interested in being able to experiment
with authentication using a Self-issued token. I see this as possibly
being a very useful way to achieve single sign-on functionality.
Daniel Sanders
>>> "Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx> 12/13/2006 7:07 PM >>>
Thanks for doing this Jim. Let me know if you'd like to go over some of
this on the call tomorrow. -Paul
From: higgins-dev-bounces@xxxxxxxxxxx [
mailto:higgins-dev-bounces@xxxxxxxxxxx] On Behalf Of Jim Sermersheim
Sent: Wednesday, December 13, 2006 7:44 PM
To: higgins-dev@xxxxxxxxxxx
Subject: Re: [higgins-dev] Demo post-mortem
FWIW, I put these here and took the liberty of assigning some names to
tasks (still need owners for a few)
>>> "Jim Sermersheim" <jimse@xxxxxxxxxx> 12/8/06 3:57 PM >>>
Add to the list:
- STS Configuration (https://bugs.eclipse.org/bugs/show_bug.cgi?id=163618
). The bug doesn't say anything else, but I think it has to do with how
the STS is configured to do things like: - insert a claim mapper between
itself and the IdAS CP (dependency on claim mapping task below), possibly
include a list of allowed CP's, etc.
- Name mappings. We used full DN values from the groupMembership. Should
have been simple (mapped) names.
- Update operations in IdAS instead of PHP LDAP. All the update operations
on the RP use PHP LDAP instead of IdAS.
- Location of dependency libraries. We had some in the STS deployment lib
directory, and others in the Tomcat shared lib. We need a methodology for
deciding where to locate these.
- BasicDateTimeValue couldn't be used because of some fishiness with the
time zones. Duane has the details.
- Verify that Mike's latest STS code is in, and we can build and deploy
ourselves.
- Check in fixes to card generator to Higgins. Separate from form ui
- Empty/missing claim (on forum)
- LDAP CP should support any URI as the context ref (i.e. http)
Jim
>>> "Jim Sermersheim" <jimse@xxxxxxxxxx> 12/7/06 5:47 PM >>>
I suggested that we do some kind of post-mortem evaluation of the work
done to get the demo working so we avoid letting things fall through the
cracks.
Probably the best thing to do is get everyone's feedback and then create a
task list or create bugzilla items for each.
The Novell team will meet tomorrow afternoon to come up with a list from
our experience, so look for the results of that later. Until then, a few I
can think of off the top of my head include:
- CardID to context mapping. We ended up making the CardID equal the
contextRef. It looked like this: file:///<some path on the IdAS machine to
a config file>?<some identifier inside the config file representing a
context>. There's already a bug for this (
https://bugs.eclipse.org/bugs/show_bug.cgi?id=163366). It would be nice if
we could come up with something a little more abstract so we're not
putting something as brittle and revealing as a local filename
- Claim/Attribute mapping. We ended up making the LDAP CP emit attributes
which are named just like cardspace claims... We'd like to do this via
configuration, or possibly a mapping CP, or something like that.
- STS builds are still not quite up to snuff -- see recent list traffic.
I can see there are a lot of others now that I look around, I have to run
for the evening so I'll pick back up in the AM.
Jim
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev



