- From: Jonathan Ballard <dzonatas@gmail.com>
- Date: Fri, 20 Jul 2012 18:35:46 -0700
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAAPAK-6weM5Ja-=xHOcEK4KwThwGyj3BvHSYUeLtJFKFNBH9Dg@mail.gmail.com>
To move forward on this without the redirect, the "Separate UA generated session-ID" is just that. The User and Agent are not the same, so there are, at least, three end-points, instead of two. The redirect, then, does not exist between the user end-point and the agent end-point, as you expect. The redirect may exist between the agent end-point and the origin server. That allows us to have the agent at HTTP 2, or later, and keep the origin server at the most stateless HTTP 1.1. I wrote more description about the user end-point in such scenario, yet I trashed it several times already. Easier if I keep it summarized to an example snippet under ASP.NET where "runat=server" allows its process to migrate to the agent or where we can replace "runat=client" with "runat=agent". That is not so comprehensible in javascript since the agent is then virtual, and you run into concerns as you mentioned. On Friday, July 20, 2012, Amos Jeffries wrote: > On 21/07/2012 2:19 a.m., Jonathan Ballard wrote: > >> The SSO is something we negotiate between two or more origin servers, and >> the UAs need not be part of that negotiation. It's may be the simpler >> design step to use the UAs for such negotiation between servers (with such >> "session header") after we establish the connection, yet that does not help >> secure authentication. >> >> > Indeed. The securest setup for SSO is to have the cleint present unique > session-ID to each server *also* to provide the same credentials. > Both servers knowing which DC to validate those credentials against they > can register their internal state-reference to the account. > The client never sees any of the server IDs or federation activity. When > done right eavesdroppers with access to both connections cannot link the > two credential sets easily. > > The hint for redirection is correct, the origin server(s) may create new >> resource, upon UA connection, and encode any session/state in that >> resource without affect to the headers. >> > > Separate UA generated session-ID is *essential* here since the redirect > may have been added/triggered by an attacker. Handing them a > pre-authenticated session ID is not acceptible. The only hope of detecting > and protecting against such attackes is to require the attacker to repeat > the authentication process where they should get caught (if it was auth > worth its cost). > > Amos > > >
Received on Saturday, 21 July 2012 01:36:15 UTC