[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Specification of the principal
I'm sorry I didn't reply sooner - I just got back from vacation. A comment: > The key pieces of the core assertions that have to be defined are the > subject, object and action clauses I'm not sure how we arrive at this. This seems to imply a certain type of entitlement structure, where there are others that exist. I'm not sure that this one is a 'given'. > Specifying the authentication credential allows the PEP to > authenticate the > principal. I was under the impression that we had decided that this was something out of scope. I don't believe that this data should be included. Regards, Darren > -----Original Message----- > From: Philip Hallam-Baker [mailto:pbaker@verisign.com] > Sent: Friday, May 04, 2001 9:01 AM > To: security-services@lists.oasis-open.org > Subject: Specification of the principal > > > All, > The key pieces of the core assertions that have to be defined are the > subject, object and action clauses. Of these the most complex > is the object > specification since that may bind to a resource an attribute > or a role. So > instead I wanted to address the Subject specification first > since it is > somewhat simpler since all SAML assertions have a principal > as the subject. > The other can of worms to open up is the method of requesting > an assertion. > Subject > In every case the subject of a SAML assertion is a principal. > A principal > MAY be identified by; > * Name > * Authentication Credential > * Reference to an Authentication Credential > Names > Common name ("Alice Pleasance Liddel") > Account ("alice@christchurch.ox.ac.uk") > Authentication Credential > Password ("secret") > Password validator (SHA-1 ("secret")) > Holdership of ticket (SHA-1 ( ticket-data )) > Public key <KeyInfo> <KeyData/> </KeyInfo> > Certificate <KeyInfo> <X509Data/> </KeyInfo> > PGP Key <KeyInfo> <PGPData/> </KeyInfo> > Reference to Authentication Credential > <KeyInfo> <RetrievalMethod/> </KeyInfo> > Specifying the authentication credential allows the PEP to > authenticate the > principal. However in some circumstances the authentication > protocol used > will also be relevant. > <Subject> > <Name> ? > <Account> ? > <Authenticator> > <AuthAlg>? > <AuthData> | <KeyInfo> > > Examples: > Assertion Principal identified by name and account only: > <Subject> > <Name>Alice Pleasance Liddel > <Account>alice@christchurch.ox.ac.uk > Assertion Principal identified by password validator > <Subject> > <Account>alice@christchurch.ox.ac.uk > <Authenticator> > <AuthAlg>uri:///password/SHA-1 > <AuthData>secret > Assertion Principal identified by ticket validator > <Subject> > <Account>alice@christchurch.ox.ac.uk > <Authenticator> > <AuthAlg>uri:///ticket/SHA-1 > <AuthData>21A9834hwad98723hawf98723h987w4r > Assertion Principal identified by public key > <Subject> > <Account>alice@christchurch.ox.ac.uk > <Authenticator> > <KeyInfo> > <KeyData> > <RSAData/> > > > Phillip Hallam-Baker FBCS C.Eng. > Principal Scientist > VeriSign Inc. > pbaker@verisign.com > 781 245 6996 x227 > > > <<Phillip Hallam-Baker (E-mail).vcf>> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC