dss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Authentication of Claimed Identity
- From: "Nick Pope" <pope@secstan.com>
- To: "OASIS DSS TC" <dss@lists.oasis-open.org>,"Trevor Perrin" <trev@trevp.net>
- Date: Tue, 2 Nov 2004 20:24:08 -0000
Can I suggest the following change to the description of claimed identity so
that if matches the descritpion in requester identity. Also, the example
provided is confusing (e.g. what is the digital signature against? How does
this differ from an input signature?).
The new text in 2.8.2 <claimedidentity> currently states:
"
The <ClaimedIdentity> element indicates the identity of the client who is
making a request. The server may use this to parameterize any aspect of its
processing. Profiles that make use of this element MUST define its
semantics.
The <SupportingInfo> child element can be used by profiles to carry
information related to the client�s identity. One use of <SupportingInfo>
is to carry a digital signature or other data that authenticates the request
as originating from the client identity. Client authentication may also be
handled by the security binding, according to section 6. Regardless of
whether client authentication is performed through the security binding or
through <SupportingInfo>, the server MUST check that the asserted <Name>
matches the client authentication before relying upon the <Name>."
5.2 <RequesterIdentity> currenty states:
This section contains the definition of an XML Requester Identity element.
This element can be used as a signature property in an XML signature to
identify the client who requested the signature.
This element has the following children:
Name [Required]
The name or role of the requester who requested the signature be performed.
SupportingInfo [Optional]
Information supporting the name (such as a SAML Assertion [SAMLCore1.1],
Liberty Alliance Authentication Context, or X.509 Certificate)."
-----
I suggest that 2.8.2 is changed to read.
"The <ClaimedIdentity> element indicates the identity of the client who is
making a request. The server may use this to parameterize any aspect of its
processing. Profiles that make use of this element MUST define its
semantics.
This element has the following children:
Name [Required]
The name or role of the requester who requests the signature be performed.
SupportingInfo [Optional]
Information supporting the name (such as a SAML Assertion [SAMLCore1.1],
Liberty Alliance Authentication Context, or X.509 Certificate).
The claimed identity may be authenticated using the security binding,
according to section 6, or using authentication information provided in the
<SupportingInfo> element. The server MUST check that the asserted <Name> is
authenticated before relying upon the <Name>."
Nick
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]