[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Authentication of Claimed Identity
I'm happy to go with your last 2 sentences, in place of my last 2. However, your text under SupportingInfo makes this sound too similar to RequesterInfo. ClaimedIdentity/SupportingInfo may carry a signature or MAC over the request to accomplish client authentication, which none of your examples mention. I would change my first two sentences like: The <SupportingInfo> child element can be used by profiles to carry information related to the claimed identity. One possible use of <SupportingInfo> is to carry authentication data that authenticates the request as originating from the claimed identity (examples of authentication data include a password or SAML Assertion [SAMLCore1.1], or a signature or MAC calculated over the request using a client key). At 08:24 PM 11/2/2004 +0000, Nick Pope wrote: >Can I suggest the following change to the description of claimed identity so >that if matches the descritpion in requester identity. Also, the example >provided is confusing (e.g. what is the digital signature against? How does >this differ from an input signature?). > >The new text in 2.8.2 <claimedidentity> currently states: > >" >The <ClaimedIdentity> element indicates the identity of the client who is >making a request. The server may use this to parameterize any aspect of its >processing. Profiles that make use of this element MUST define its >semantics. > >The <SupportingInfo> child element can be used by profiles to carry >information related to the clients identity. One use of <SupportingInfo> >is to carry a digital signature or other data that authenticates the request >as originating from the client identity. Client authentication may also be >handled by the security binding, according to section 6. Regardless of >whether client authentication is performed through the security binding or >through <SupportingInfo>, the server MUST check that the asserted <Name> >matches the client authentication before relying upon the <Name>." > >5.2 <RequesterIdentity> currenty states: > >This section contains the definition of an XML Requester Identity element. >This element can be used as a signature property in an XML signature to >identify the client who requested the signature. > >This element has the following children: > >Name [Required] >The name or role of the requester who requested the signature be performed. > >SupportingInfo [Optional] >Information supporting the name (such as a SAML Assertion [SAMLCore1.1], >Liberty Alliance Authentication Context, or X.509 Certificate)." > > >----- > >I suggest that 2.8.2 is changed to read. > >"The <ClaimedIdentity> element indicates the identity of the client who is >making a request. The server may use this to parameterize any aspect of its >processing. Profiles that make use of this element MUST define its >semantics. > >This element has the following children: > >Name [Required] >The name or role of the requester who requests the signature be performed. > >SupportingInfo [Optional] >Information supporting the name (such as a SAML Assertion [SAMLCore1.1], >Liberty Alliance Authentication Context, or X.509 Certificate). > >The claimed identity may be authenticated using the security binding, >according to section 6, or using authentication information provided in the ><SupportingInfo> element. The server MUST check that the asserted <Name> is >authenticated before relying upon the <Name>."
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]