|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: UNH Plugfest 5> "Robert D. Russell" <rdr@io.iol.unh.edu> wrote on 14/01/2003 02:56:59: >> ... >> 2. If the initiator offers authentication on the first login request, >> and the target replies with a redirection, can that redirection be >> safely believed by the initiator without first finishing the >> authentication? Probably not, which limits the value of redirection. >> Could/should anything be said about this in the standard? >> >> > That is an interesting point that was briefly discussed. It is not > sure that a legitimate target would give out the "secrets" required > to authenticate the redirection nor that the redirector has to ahve > all the authentication implemented. If the redirection is not > legitimate you will learn about it one step later and you will not > be able to get to the legitimate target anyhow. However an > initiator would be ill advised to change it's internal tables to > point to a new target before validating it. An initiator is also at > liberty to insist on authentication in which case the redirection > will have to provided after authentication. > > As we assume that redirection will be provided by "administrative > entities" we did not feel that we have to be more explicit in the > standard and we could leave this to implementers/administrators. I don't think that's sufficient, as this interop issue shows. I agree with the argument that the redirector might not have the secrets needed to do the authentication. That's the argument for issuing the redirect before completing the authentication. And there seems to be no security argument against this practice, just as you also said. But if that's reasonable, then the initiator is NOT "at liberty to insist on authentication". If it tries, then the redirector is unable to comply, and you have the failure that Bob described. I don't feel it is acceptable for redirect to work only with some initiators. So the standard needs to be more explicit. The argument you gave says to me that the initiators should be required to be more tolerant, i.e., the rule needs to change to be "accept redirect even without a complete authentication handshake". The alternative is to require targets to complete the authentication handshake before they announce a redirect -- that's a possible fix but for some targets will be difficult to implement for the reasons you gave. paul
Home Last updated: Wed Jan 15 02:19:51 2003 12176 messages in chronological order |