You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Sean Mehan <se...@smo.uhi.ac.uk> on 2005/03/01 15:52:17 UTC

Authentication Needs for Apache: Was Re: Puzzling News

Just a pointer to something that is gaining a bit of ground in various  
circles:


http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech- 
overview-2.0-draft-03.pdf

found at

http://www.oasis-open.org/committees/documents.php?wg_abbrev=security


This is about SAML, a vocabulary for exchange of authentication and  
authorization data about users trying to access resources.
With this capability built in, one can write policies for users  
originating from other sites.

There is an implementation of this for what used to be called  
(resource) targets, now called SP [service provider]s, which compiles  
and runs under apache 1.3/2.0
found at http://shibboleth.internet2.edu/

regards,
sean

On 1 Mar 2005, at 14:18, Graham Leggett wrote:

> Paul A Houle said:
>
>>       I think of all the features that web site authors and developers
>> need that still don't exist in mainstream web servers;  part of this
>> is in the area of "content management" and another major are is
>> authentication -- pretty much any serious interactive web site needs
>> a cookie-based authentication system with the features seen on big
>> sites like amazon.com and yahoo!  and one of the reasons there is so
>> little code reuse on the web is that every application winds up
>> impementing it's own authentication system;  if there was something
>> really good built into a market-leading web server,  this picture
>> would change completely.
>
> The trouble with the authentication problem is that the credentials  
> used
> for authentication are often used for way more than just finding out
> whether a user has access. That said, this is definitely a very useful
> addition.
>
> Something like an auth module that can do "form based" auth, in  
> addition
> to "basic" and "digest" etc would probably be very useful.
>
> Regards,
> Graham
> --
>
>

Re: Authentication Needs for Apache: Was Re: Puzzling News

Posted by Sean Mehan <se...@smo.uhi.ac.uk>.

Hi. Thanks for this. I've been tied up with a couple of things, so  
please pardon the delay.

As far as this goes, Erik is correct, to a point!-) Just for tightness,  
I want to make this as clear as mud!-)

To my read, and this meshes with others, SAML is open. RSA
http://www.oasis-open.org/committees/security/ipr.php
have four patents that seem to overlap with parts of SAML, from:

"...RSA believed that these four patents could be relevant to  
practicing certain operational modes of the OASIS Security Assertion  
Markup Language ("SAML") specifications...".


Liberty Alliance took the SAML spec and implemented it with a profile  
that extended it, called the Browser/POST profile (a form post encoded  
in SAML). It is this profile that RSA seem to be claiming

http://lists.oasis-open.org/archives/security-services/200205/ 
msg00046.html

rather than the SAML spec which is open:

http://www.opensaml.org/license.html

It is most unfortunate that RSA are taking this stance, but SAML and  
another synch method would not be covered by this patent, in my limited  
understanding of the world.


Internet2, for the record, do hold an RSA license which covers all  
users of the app.
s


On 1 Mar 2005, at 16:51, Erik Abele wrote:

> On 01.03.2005, at 15:52, Sean Mehan wrote:
>
>> Just a pointer to something that is gaining a bit of ground in  
>> various circles:
>>
>>
>> http://www.oasis-open.org/committees/download.php/11511/sstc-saml- 
>> tech-overview-2.0-draft-03.pdf
>>
>> found at
>>
>> http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
>>
>>
>> This is about SAML, a vocabulary for exchange of authentication and  
>> authorization data about users trying to access resources. With this  
>> capability built in, one can write policies for users originating  
>> from other sites.
>
> The problem I see with SAML and it's specs is that RSA holds patents  
> on it and although these patens are made available under a  
> royalty-free license, every end-user must obtain their own licsense  
> from RSA. That alone is a requirement which goes far beyond the  
> requirements of the Apache License and furthermore there are some  
> other constraints (e.g. licensees must grant RSA the same rights to  
> any patents they own).
>
> Find the details at  
> http://www.oasis-open.org/committees/security/ipr.php.
>
>> There is an implementation of this for what used to be called  
>> (resource) targets, now called SP [service provider]s, which compiles  
>> and runs under apache 1.3/2.0
>> found at http://shibboleth.internet2.edu/
>
> Hmm, I think both, opensaml.org and shibboleth.internet2.edu are not  
> conforming to RSA's license requirements:
>
> "The license terms for the RSA Patents will permit end-users to use  
> the Licensed Products. However, in the event that a Licensed Product  
> is a product (such as a toolkit product or operating system service)  
> that is used to develop other products, the license will require the  
> licensee of the RSA Patents to notify users of the Licensed Products  
> that such users must obtain a license directly from RSA for the RSA  
> Patents. RSA is willing to grant such licenses on the same  
> non-exclusive, royalty-free terms described above."
>
> I don't find any such notice on both pages, just their usual license  
> which is misleading in this case, e.g.  
> http://www.opensaml.org/license.html
>
> IMHO we should avoid touching this sort of stuff...
>
> Cheers,
> Erik

Re: Authentication Needs for Apache: Was Re: Puzzling News

Posted by Erik Abele <er...@codefaktor.de>.

On 01.03.2005, at 15:52, Sean Mehan wrote:

> Just a pointer to something that is gaining a bit of ground in various  
> circles:
>
>
> http://www.oasis-open.org/committees/download.php/11511/sstc-saml- 
> tech-overview-2.0-draft-03.pdf
>
> found at
>
> http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
>
>
> This is about SAML, a vocabulary for exchange of authentication and  
> authorization data about users trying to access resources. With this  
> capability built in, one can write policies for users originating from  
> other sites.

The problem I see with SAML and it's specs is that RSA holds patents on  
it and although these patens are made available under a royalty-free  
license, every end-user must obtain their own licsense from RSA. That  
alone is a requirement which goes far beyond the requirements of the  
Apache License and furthermore there are some other constraints (e.g.  
licensees must grant RSA the same rights to any patents they own).

Find the details at  
http://www.oasis-open.org/committees/security/ipr.php.

> There is an implementation of this for what used to be called  
> (resource) targets, now called SP [service provider]s, which compiles  
> and runs under apache 1.3/2.0
> found at http://shibboleth.internet2.edu/

Hmm, I think both, opensaml.org and shibboleth.internet2.edu are not  
conforming to RSA's license requirements:

"The license terms for the RSA Patents will permit end-users to use the  
Licensed Products. However, in the event that a Licensed Product is a  
product (such as a toolkit product or operating system service) that is  
used to develop other products, the license will require the licensee  
of the RSA Patents to notify users of the Licensed Products that such  
users must obtain a license directly from RSA for the RSA Patents. RSA  
is willing to grant such licenses on the same non-exclusive,  
royalty-free terms described above."

I don't find any such notice on both pages, just their usual license  
which is misleading in this case, e.g.  
http://www.opensaml.org/license.html

IMHO we should avoid touching this sort of stuff...

Cheers,
Erik