OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Credentials Collector proposal for SAML 2.0...





Carlisle,
sorry it took me so long to get these to you.

Section 2 is labelled a "system" model but it seems to me to identify a
logical model....the CC could be part of the client,
part of the AA or an entity on its own.

In section 2.1 you say the SE sends credentials to the SE/AA and the CC/AA
issues a "new" SAML assertion....can you supply
a SAML assertion as a credential and how would this be authenticated using
a challenge/response?

In section 2.2 you say the "CC plays the role of a translator" but I don't
quite understand the difference between being a
collector and a translator....it seems different to me.  How does an AA
authenticate credentials of an SE with a CC in the middle?
Is this a session where the CC maintains two connections? one with the SE
and one with the AA? and mediates the interaction
since the reason you have a cc is to off-load auth support from an AA.

In section 2.3
      my question is how do you discriminate between CC functions/behavior
and AA functions/behavior?
      what do you mean that the "cc is not known to a wider community"?

      also, do you think that SE's can really trust the CC without knowing
which AA or under what conditions the
      CC and the AA exchange data?  what about privacy ?
      would the SE be aware of which of the two roles the CC was playing?

In section 2.4.2
      Is the type2  a way to supply more than one credential to produce a
single saml assertion that reflects
      all the credentials? could you give me an example of this?

      Why wouldn't the combined CC and AA also accept type 2? can an SE
collect their own "sets" and make a single request to an AA?

      Why is type 3 needed? isn't what the user gets really an
authorization request? rather than an authentication?
      Is it anticipated that this would be something like Maryann was
authenticated by IBM but CompanyXYZ  is accepting liability for
      the authentication based on the assumption that IBM did the right
thing?

Maryann

Carlisle Adams <carlisle.adams@entrust.com> on 03/11/2003 02:15:32 PM

To:    "'security-services@lists.oasis-open.org'"
       <security-services@lists.oasis-open.org>
cc:
Subject:    [security-services] Credentials Collector proposal for SAML
       2.0...





Hi all,

I've finally gotten around to updating and filling out the Credentials
Collector proposal.  I've tried to take into account the brief discussions
a few of us have had so far on this topic.  Further comment/discussion is
welcome, on the list and perhaps in an upcoming concall.

Carlisle.

 <<SAML Credentials Collector.doc>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]