IdentityMeme.org

I can’t do a detailed post right now, pointing to announcement message and the spec itself will have to do. This is what I’ve been working on since joining PayPal…

fyi: Strict Transport Security specification
http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html

draft-hodges-strict-transport-sec-05.plain.html
http://lists.w3.org/Archives/Public/www-archive/2009Sep/0051.html

This specification embodies and refines the approach proposed in..

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
https://crypto.stanford.edu/forcehttps/forcehttps.pdf

=JeffH sez check it out!

Ok, my apologies for latency, this is somewhat old news, but I haven’t as yet “announced” it: I landed at PayPal, in the Information Risk Management organization under Michael Barrett (”InfoSec Team” for short), back in March.

I’m very excited to be working at one of the premier web-based organizations and also directly in the security end of things. I now get to be involved in the adoption and deployment of the various online identity and security technologies I’ve been contributing to for many years, as well as contribute to carrying them forward, and also learn some new things.

The latter has been a fair bit of work and steep learning curve as it has involved “web (in)security”, which is a vast swamp involving XSS, CSRF, response-splitting, clickjacking, etc. (hence my crawling into a cave the last several months). And not least, I’ve been very much enjoying meeting and working with key folks involved in web security and browser implementation.

And so with the public announcement of the first web security specification that I’ve contributed to (see next post), it seemed I ought to really pop this frame to the top of the stack and get it out there 8^).

Some colleagues (Josh Howlett, Leif Johansson, RL “Bob” Morgan) and I had the good fortune to help the MIT Kerberos Consortium (MITKC) with some analysis and strategy planning for the (broad) topic of “Kerberos and the Web”, during this last Fall 2008. The main deliverables of this project are this document..

Towards Kerberizing Web Identity and Services
http://kerberos.org/software/kerbweb.pdf

..and this presentation..

Kerberos for the Web: Current State and Leverage Points
http://kerberos.org/events/Board-11-3-08/4-KerberosandWeb.pdf

..given at the MITKC’s Financial Services Security Summit and MIT Kerberos Consortium Executive Advisory Board Meeting last Fall.

Of course, these documents may not make much sense if one doesn’t know what Kerberos is, so if that’s the case, this brief tutorial ought to be helpful, as well as the Kerberos entry on Wikipedia. Additionally, the MITKC has published a series of Kerberos whitepapers outlining Kerberos’ role(s) in the Big Picture of information systems in general, as well as various best practices.

That said, the MITKC’s announcement of the document provides overall rationale for their Kerberos-on-the-Web project. They have also established a new public mailing list for technical discussions on this topic.

Additionally, here’s the salient portions of the paper’s abstract..

Today authentication and authorization are addressed in an incoherent, and often site-specific, fashion on the Internet and the Web specifically. This situation stems from many factors including the evolution, design, implementation, and deployment history of HTTP and HTTP-based systems in particular, and Internet protocols in general.

Kerberos is a widely-implemented and widely-deployed authentication substrate with a long history in various communities and vendor products. Organizations that currently use Kerberos as a key element of their infrastructure wish to take advantage of its unique benefits while moving to Web-based systems, but have had limited success in doing so.     …

In this paper we outline the evolution of Web Identity and Services and describe the issues surrounding this complex landscape. These issues are captured within a set of more specific requirements that are deemed necessary to satisfy the relevant stakeholders; these requirements are then framed within the context of some general use cases. We then propose and describe a number of activities that leverage Kerberos to realize these improvements, and present an overall strategy and architectural model for working towards a more cohesive and widely deployed Kerberos-based Web authentication infrastructure.

Casual readers may find the section entitled A Short History of Web Identity and Services interesting, while those desiring the gory details as well as the identified opportunities will benefit from reading the entire paper. Here’s the overall summary illustration..

Summary of opportunities for Kerberos and the Web Architecture

In concluding, we recommend that in conjunction with developing an overall strategy and architecture with stakeholders, that the MITKC ought to initiate at least these activities..

• Specify the use of Kerberos with TLS
• SAML-in-Kerberos: Extend Kerberos to permit the inclusion of a SAML assertion in KDC issued authorization data
• Kerberos-in-SAML: SAML profile supporting the generation of SAML assertions containing Kerberos tickets
• Update WS-Security Kerberos Token Profile specification
• Leverage SAML metadata to enable large-scale Kerberos cross-realm communities”), and
• Investigate, document and promote existing methods of using Kerberos to authenticate against a SAML identity provider

Discussion of this paper and the MITKC’s overall Kerberos-and-the-Web project occurs on the (new) mitkc-web@mit.edu mailing list. Feel free to subscribe and join in.

I found the existing protocol flow diagram in the current OAuth spec..

OAuth Core 1.0
http://oauth.net/core/1.0/

..somewhat hard to follow. So I concocted three separate new ones using the so-called “swimlane” technique that I’m used to.

I posted these to the OAuth list a while back, and a few folks reposted them to their blogs, but no one has yet piped up to say I got anything wrong. But YMMV, there might be bugs in here.

FWIW, I’ve posted them below in case others find them useful. Also, I have them in a single file..

http://identitymeme.org/doc/draft-hodges-oauth-05-figures.txt

..also featuring OpenID and SAML Web Browser SSO Profile diagrams for comparison purposes. Note that in all things protocol, definitions of terms are essential in order to be able to effectively communicate and reason about protocols, so I’ve included key definitions from the OAuth spec in the file.

NOTE: fixed-pitch font required for viewing. Also, wordpress is obviously messing up the diagrams below, and they consequently look sorta lame, here on the blog. This site presently uses an old wordpress install, maybe this will help motivate me to upgrade it. In the meantime, check out the file linked-to above for the best viewing experience

Fig 1: out-of-band consumer setup/config

                                           photos.example.net
                                             +----------+
                                             |          |
                                             | OAuth    |
                                             | service  |
                  printer.example.com        | provider |
                      +---------+            |          |
                      |developer|            |  Sys     |
                      |   of    |            |  Admin   |
                      | OAuth   |            |          |
                      |consumer |            |          |
                      |         |            |   [SP]   |
                      +----+----+            +----+-----+
                           |                      |
                           | obtain Consumer Key  |
                           | and Consumer Secret  |
                           | [details unspec'd,   |
                           |  performed out-of-   |
                           |  band.]              |
                           |--------------------->|
                           |< ---------------------|
                           |                      |
                           |                      |

Fig 2: “Web-based consumer”

The "consumer" is a website or other application that accesses
the Service Provider on behalf of the wielder (user) of the user agent
(UA is typically a browser, but could be some other app). 

Steps 1.n.  "Obtain Unauthorized Request Token"
      2.n.  "User Authorizes Request Token"
      3.n.  "Exchange Request Token for Access token"
      4.n.  UA accessing protected resources at SP

                                           photos.example.net
                                             +----------+
                                             |          |
                                             | OAuth    |
                   printer.example.com       | Service  |
                       +--------+            | Provider |
                       |        |            |          |
                       | OAuth  |            |[protected|
                       |Consumer|            |resources]|
 +----+                |        |            |          |
 | UA |                |  [RP]  |            |   [SP]   |
 +-+--+                +---+----+            +----+-----+
   |                       |                      |
   | 1.0. User Agent inter-|                      |
   | acts with Consumer    |                      |
   | site [optional]       |                      |
   |< --------------------->|                      |
   |                       |                      |
   |                       |                      |
   |                       |                      |
   | 1.1. UA informs/directs                      |
   | Consumer to do something                     |
   | with a resource (e.g. |                      |
   | a photo) at SP        |                      |
   |---------------------->|                      |
   |                       |                      |
   |                       |                      |
   |                       |                      |
   |                       | 1.2. Consumer attempts
   |                       | accessing photo at SP|
   |                       |--------------------->|
   |                       |                      |
   |                       |                      |
   |                       | 1.3. SP replies with |
   |                       | a HTTP 401 containing|
   |                       | a "OAuth" www-authn  |
   |                       | header field         |
   |                       |< ---------------------|
   |                       |                      |
   |                       |                      |
   |                       | 1.4. Consumer replies|
   |                       | with a request for   |
   |                       | "unauthorized Request|
   |                       | Token" (uRT) via POST|
   |                       | to SP's "request token
   |                       | URL"                 |
   |                       |--------------------->|
   |                       |                      |
   |                       |                      |
   |                       | 1.5. SP issues uRT & |
   |                       | token secret to      |
   |                       | Consumer.            |
   |                       |< ---------------------|
   |                       |                      |
   |                       |                      |
   |                       |                      |
   | 2.0. Consumer redirects                      |
   | UA to SP "User Author-|                      |
   | ization URL" including|                      |
   | the uRT.              |                      |
 +<- - - - - - - - - - - - |                      |
 . | (indirected via UA)   |                      |
 . |                       |                      |
 +-------------------------+--------------------->|
   |                       |                      |
   |                       |                      |
   |                       |                      |
   |                       |                      |
   | 2.2. User authenticates with the Service     |
   | Provider (optional, methods vary, realization|
   | is out of scope)                             |
   |< ============================================>|
   | 2.3. User grants or declines permission      |
   | for the Service Provider allow Consumer      |
   | access to the resource (e.g. photo).         |
   |                       |                      |
   |                       |                      |
   |                       |                      |
   |                       |                      |
   | 2.4. If permision granted, UA redirected back|
   | to Consumer's "Callback URL", conveying the  |
   | uRT.                  |                      |
 +< - - - - - - - - - - - - - - - - - - - - - - - -|
 . | (indirected via UA)   |                      |
 . |                       |                      |
 . |                       |                      |
 +------------------------>|                      |
   |                       |                      |
   |                       |                      |
   |                       |3.0. Consumer requests|
   |                       |Access token, supplies|
   |                       |uRT.                  |
   |                       |--------------------->|
   |                       |                      |
   |                       |                      |
   |                       |                      |
   |                       |3.1. SP grants Access |
   |                       | Token.               |
   |                       |< ---------------------|
   |                       |                      |
   |                       |                      |
   |                       |4.x. Consumer uses the|
   |                       |Access Token, Access  |
   |                       |Token Secret, Consumer|
   |                       |Key, and Consumer Secret
   |                       |to make authenticated |
   |                       |request(s) to the Service
   |                       |Provider.             |
   |                       |=====================>|
   |                       |           .          |
   |                       |           .          |
   |                       |           .          |
   |                       |                      |

Fig 3: “desktop-based consumer”

this is case where user is wielding some app that is both a UA and a Consumer.

                                             +----------+
                                             |          |
                                             | OAuth    |
                                             | service  |
 +--------+                                  | provider |
 |        |                                  |          |
 |Desktop-|                                  |[protected|
 |based   |                                  |resources]|
 |Consumer|                                  |          |
 |        |                                  |          |
 | UA     |                                  |   [SP]   |
 +-+------+                                  +----+-----+
   |                                              |
   | 1. Consumer requests "unauthorized Request   |
   | Token (uRT)" with POST to SP's "request token"
   | URL.                                         |
   |--------------------------------------------->|
   |                                              |
   |                                              |
   | 1.1. SP issues uRT and Token Secret to       |
   | consumer.                                    |
   |< ---------------------------------------------|
   |                                              |
   |                                              |
   |                                              |
   | 1.2. User authenticates with the Service     |
   | Provider (optional, methods vary, realization|
   | is out of scope)                             |
   |<============================================>|
   | 3. User grants or declines permission        |
   | for the Service Provider to issue Access     |
   | Token.                                       |
   |                                              |
   |                                              |
   |                                              |
   |                                              |
   | 4. Service Provider authorizes the uRT to be |
   | exchanged for an Access Token and secret.    |
   |< ---------------------------------------------|
   |                                              |
   |                                              |
   |                                              |
   | 5. Consumer exchanges the uRT and secret     |
   | for an Access Token and Secret.              |
   |--------------------------------------------->|
   |< ---------------------------------------------|
   |                                              |
   |                                              |
   |                                              |
   | 6. Consumer uses the Access Token, Access    |
   | Secret, Consumer Key, and Consumer Secret    |
   | to make authenticated request(s) to the Service
   | Provider                                     |
   |<============================================>|
   |                      .                       |
   |                      .                       |
   |                      .                       |
   |                      .                       |
   |                      .                       |
   |                      .                       |
   |                                              |

It looks like this new SAML wiki..

SAML.XML.org

..opened for business on or about the middle of October 2007. Looks like it’ll be a good resource for the wide SAML community.

There’s also another wiki that’s apparently for the members of the OASIS Security Services Technical Committee (SSTC - the group creating and shepherding the SAML specs)..

SSTC Wiki

..so it looks like we’ll have to be careful to figure out what sort of content goes where.

Andreas Åkre Solberg writes on his Feide blog..

simpleSAMLphp 0.3 is launched. Most interesting in this new release is the SAML 2.0 IdP functionality. The documentation is not covering everything in detail yet, but it should be sufficient to get something up running.

The simpleSAMLphp 0.3 package also features a Shibboleth 1.3-compatible SP written in PHP.

My colleague John Kemp has blogged a quick, accurate (although partial) tutorial on the Liberty Authentication Service, of which I was the original designer (see my bibliography). I hope he gets the time to post part 2 of his write-up!

This is a cliche place-holder post whilst I get this here wordpress gizmoid software figgered out. I was going to delete it (this post, not wordpress), but the good ol’ “Hello World” schtick is a time-honored one in the geek world, so I’ll leave it be.