[cap-talk] forging SAML security assertions in Zebra Copy
john.carlson3 at sbcglobal.net
Mon Feb 23 16:02:23 EST 2009
On Feb 23, 2009, at 10:26 AM, Karp, Alan H wrote:
> John Carlson wrote:
>> Are SAML security assertions unforgeable in the Zebra Copy example?
>> Say I wanted to use a type of database query language in the
>> authorization assertion.
> Yes. Each assertion is signed by the delegator, and the SOAP
> message is signed by the user of the assertion. These signatures
> are checked before accepting an authorization. I don't understand
> what you mean by using a query language in the assertion.
Say I wanted to create an unforgeable/unmodifiable query language
expression. It doesn't need to be in the assertion--however, it would
be convenient for debugging purposes to put it in the assertion. The
unforgeable/unmodifiable is the primary requirement. I realize I
could put query language expression in a directory stored under a
swiss number on a server somewhere, but if I did that, then the client
might not be able to tell what query language expression is being
invoked. On the other hand, I believe if the query language
expression was exposed to the end user, a type of confused deputy
could occur--that is, the query language expression might be different
than the capability. If I could guarantee that the query language
expression were the same as the capability, that would be ideal.
More information about the cap-talk