[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Credentials Collector proposal for SAML 2.0...
Carlisle, sorry it took me so long to get these to you. Section 2 is labelled a "system" model but it seems to me to identify a logical model....the CC could be part of the client, part of the AA or an entity on its own. In section 2.1 you say the SE sends credentials to the SE/AA and the CC/AA issues a "new" SAML assertion....can you supply a SAML assertion as a credential and how would this be authenticated using a challenge/response? In section 2.2 you say the "CC plays the role of a translator" but I don't quite understand the difference between being a collector and a translator....it seems different to me. How does an AA authenticate credentials of an SE with a CC in the middle? Is this a session where the CC maintains two connections? one with the SE and one with the AA? and mediates the interaction since the reason you have a cc is to off-load auth support from an AA. In section 2.3 my question is how do you discriminate between CC functions/behavior and AA functions/behavior? what do you mean that the "cc is not known to a wider community"? also, do you think that SE's can really trust the CC without knowing which AA or under what conditions the CC and the AA exchange data? what about privacy ? would the SE be aware of which of the two roles the CC was playing? In section 2.4.2 Is the type2 a way to supply more than one credential to produce a single saml assertion that reflects all the credentials? could you give me an example of this? Why wouldn't the combined CC and AA also accept type 2? can an SE collect their own "sets" and make a single request to an AA? Why is type 3 needed? isn't what the user gets really an authorization request? rather than an authentication? Is it anticipated that this would be something like Maryann was authenticated by IBM but CompanyXYZ is accepting liability for the authentication based on the assumption that IBM did the right thing? Maryann Carlisle Adams <carlisle.adams@entrust.com> on 03/11/2003 02:15:32 PM To: "'security-services@lists.oasis-open.org'" <security-services@lists.oasis-open.org> cc: Subject: [security-services] Credentials Collector proposal for SAML 2.0... Hi all, I've finally gotten around to updating and filling out the Credentials Collector proposal. I've tried to take into account the brief discussions a few of us have had so far on this topic. Further comment/discussion is welcome, on the list and perhaps in an upcoming concall. Carlisle. <<SAML Credentials Collector.doc>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]