SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: FW: Redirection (was UNH Plugfest 5)



    
    I haven't seen this via the ips reflector, I guess it's having problems but
    apologies if this reply is now out of date.
    
    I still agree with Paul that we should choose a mechanism but I disagree the
    options are equivalent, at least from the point of view of an admin trying to
    figure what is going on.
    
    Consider in the redirect before authentication case target A is impersonated by
    A'. A' redirects to B' which redirects to A' etc. There is nothing in the spec
    about how many redirects are valid, and of course implementations will impose
    arbitrary upper limits but this sort of bouncing around is going to be hard to
    debug. In the redirect after authentication case the admin sees a nice big red
    box indicating authentication failed because A' doesn't have the appropriate
    credentials. This seems more desirable to me.
    
    Again, let me stress that I don't have a strong opinion about which way this
    should go, only that it should be specified.
    
    - Rod
    
    -----Original Message-----
    From: Paul Koning [mailto:pkoning@equallogic.com]
    Sent: Friday, January 17, 2003 4:00 PM
    To: rod.harrison@windriver.com
    Cc: Julian_Satran@il.ibm.com; Black_David@emc.com; ips@ece.cmu.edu
    Subject: RE: FW: Redirection (was UNH Plugfest 5)
    
    
    >>>>> "Rod" == Rod Harrison <rod.harrison@windriver.com> writes:
    
     Rod> I agree with Paul that the spec should be specific on this. At
     Rod> this weeks plugfest none of the 16 companies present had the
     Rod> ability to configure this behaviour so the reality is the first
     Rod> set of products are going to go out hard coded in this manner
     Rod> and some are not going to interoperate. Right now many products
     Rod> are ready to go when the RFC is published and it's too late to
     Rod> rework GUIs, configuration databases and config app to device
     Rod> protocols. The result is going to be that authentication will be
     Rod> unusable with targets that redirect.
    
     Rod> I personally would like to see the spec say authentication MUST
     Rod> complete before redirection can occur, but like Paul I can
     Rod> accept either choice.
    
     Rod> A possible way out here is to go with the same approach chosen
     Rod> for the extension digests, that is mandate either redirection
     Rod> before or after authentication unless there has been explicit
     Rod> administrator intervention. That gives interoperability with
     Rod> implementations that can't configure this behaviour, and gives
     Rod> an out for those that want the choice the standard doesn't
     Rod> mandate if they are prepared to do the configuration work.
    
    I hadn't considered that approach.  I'd prefer not to do this.  The
    reason is that I see no reason for this behavior to be configured in
    the first place.  There is no conceivable reason why an admin should
    care about the way it is done; it simply must be done in a way that
    works.  Either behavior is perfectly fine; either behavior has
    equivalent security properties.
    
    Putting a management knob on this feels like an admission that the
    standards process is unable to make any decisions.
    
         paul
    
    


Home

Last updated: Mon Jan 20 01:19:09 2003
12218 messages in chronological order