security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: RE: [security-services] Credentials collection proposal
- From: Hal Lockhart <hal.lockhart@entegrity.com>
- To: 'Mike Just' <Mike.Just@entrust.com>,"'security-services@lists.oasis-open.org'"<security-services@lists.oasis-open.org>
- Date: Mon, 30 Sep 2002 18:00:16 -0400
Title: Credentials collection proposal
Mike,
I
don't know if you have developed usecases for this proposal.
On
reflection, this proposal does not appear to support what I consider to be the
"bread and butter" use case. In this usecase, a pool of web or application
servers communicate with browsers via HTTP or HTTPS. these servers, in turn
communicate with a small number of central servers which have access to one or
more repositories containing user information including passwords. The web or
application servers act as credentials collectors, either collecting passwords
via HTTP basic auth or form post or by terminating SSL/TLS links with client
certs (other AuthN methods may be supported as well). The web/app servers act as
PEPs and perhaps PDPs. The central servers act as AuthN Authorities, Attribute
Authorities and perhaps PDPs.
This
is the configuration of most WAM products, including, I believe Entrust's. In
this environment, is is not satisfactory to require each web/app server to
access the multiple repositories to verify passwords, which is what I understand
your proposal to require.
Please
tell me how I have misunderstood you ability to support this usecase or how in
fact it can be supported.
Regards,
Hal
As promised, here's a short (just 3 1/2 pages) proposal for
incorporating credentials collection (i.e. a *new* authentication request)
into SAML 2.0. We can discuss on the conference call on Tuesday.
Cheers,
Mike
P.S. Apologies if the schema I've included is horribly
incorrect.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC