[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Specification of the principal
I'm sorry I didn't reply sooner - I just got back from vacation. A comment:
> The key pieces of the core assertions that have to be defined are the
> subject, object and action clauses
I'm not sure how we arrive at this. This seems to imply a certain type of
entitlement structure, where there are others that exist. I'm not sure that
this one is a 'given'.
> Specifying the authentication credential allows the PEP to
> authenticate the
> principal.
I was under the impression that we had decided that this was something out
of scope. I don't believe that this data should be included.
Regards,
Darren
> -----Original Message-----
> From: Philip Hallam-Baker [mailto:pbaker@verisign.com]
> Sent: Friday, May 04, 2001 9:01 AM
> To: security-services@lists.oasis-open.org
> Subject: Specification of the principal
>
>
> All,
> The key pieces of the core assertions that have to be defined are the
> subject, object and action clauses. Of these the most complex
> is the object
> specification since that may bind to a resource an attribute
> or a role. So
> instead I wanted to address the Subject specification first
> since it is
> somewhat simpler since all SAML assertions have a principal
> as the subject.
> The other can of worms to open up is the method of requesting
> an assertion.
> Subject
> In every case the subject of a SAML assertion is a principal.
> A principal
> MAY be identified by;
> * Name
> * Authentication Credential
> * Reference to an Authentication Credential
> Names
> Common name ("Alice Pleasance Liddel")
> Account ("alice@christchurch.ox.ac.uk")
> Authentication Credential
> Password ("secret")
> Password validator (SHA-1 ("secret"))
> Holdership of ticket (SHA-1 ( ticket-data ))
> Public key <KeyInfo> <KeyData/> </KeyInfo>
> Certificate <KeyInfo> <X509Data/> </KeyInfo>
> PGP Key <KeyInfo> <PGPData/> </KeyInfo>
> Reference to Authentication Credential
> <KeyInfo> <RetrievalMethod/> </KeyInfo>
> Specifying the authentication credential allows the PEP to
> authenticate the
> principal. However in some circumstances the authentication
> protocol used
> will also be relevant.
> <Subject>
> <Name> ?
> <Account> ?
> <Authenticator>
> <AuthAlg>?
> <AuthData> | <KeyInfo>
>
> Examples:
> Assertion Principal identified by name and account only:
> <Subject>
> <Name>Alice Pleasance Liddel
> <Account>alice@christchurch.ox.ac.uk
> Assertion Principal identified by password validator
> <Subject>
> <Account>alice@christchurch.ox.ac.uk
> <Authenticator>
> <AuthAlg>uri:///password/SHA-1
> <AuthData>secret
> Assertion Principal identified by ticket validator
> <Subject>
> <Account>alice@christchurch.ox.ac.uk
> <Authenticator>
> <AuthAlg>uri:///ticket/SHA-1
> <AuthData>21A9834hwad98723hawf98723h987w4r
> Assertion Principal identified by public key
> <Subject>
> <Account>alice@christchurch.ox.ac.uk
> <Authenticator>
> <KeyInfo>
> <KeyData>
> <RSAData/>
>
>
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
>
>
> <<Phillip Hallam-Baker (E-mail).vcf>>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC