[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Changes to fix text for "AuthenticationMethod" attribute.
Rob - 1. Your changes look fine to me. 2. I decided to add a new PE for the changes in section 7.1. It is cleaner this way. Jahan ---------------- Jahan Moreh Chief Security Architect 310.286.3070 > -----Original Message----- > From: Philpott, Robert [mailto:rphilpott@rsasecurity.com] > Sent: Tuesday, May 13, 2003 2:48 PM > To: 'security-services@lists.oasis-open.org' > Subject: [security-services] Changes to fix text for > "AuthenticationMethod" attribute. > > > Hi folks... > > Note that in addition to the changes in section 3.3.3 > (AuthenticationQuery) > we discussed on today's call, the changes to fix the AuthenticationMethod > attribute issue also impacted section 7.1. Could folks please carefully > review the text and let me know if I've screwed anything up. > > Jahan - in the errata, please also mention the impact on section 7.1. > > Section 3.3.3: Core draft 10 lines 1114-1128 are currently: > ------------------------------------------ > This element is of type AuthenticationQueryType, which extends > SubjectQueryAbstractType with the addition of the following element: > > <AuthenticationMethod> [Optional] > > A filter for possible responses. If it is present, the query made is "What > assertions containing authentication statements do you have for > this subject > with the supplied authentication method?" > > In response to an authentication query, a SAML authority returns > assertions > with authentication statements as follows: > * Rules given in Section 3.4.4 for matching against the <Subject> > element of the query identify the assertions that may be returned. > * If the <AuthenticationMethod> element is present in the query, at > least one <AuthenticationMethod> element in the set of returned assertions > MUST match. It is OPTIONAL for the complete set of all such matching > assertions to be returned in the response. > * If any <RespondWith> elements are present and none of them contain > "saml:AuthenticationStatement", then the SAML authority returns no > assertions with authentication statements. (See Section 3.2.1.1 for more > information.) > ------------------------------------------ > I've replaced the -10 text with: > ------------------------------------------ > This element is of type AuthenticationQueryType, which extends > SubjectQueryAbstractType with the addition of the following attribute: > > AuthenticationMethod [Optional] > > If present, specifies a filter for possible responses. Such a > query asks the > question "What assertions containing authentication statements do you have > for this subject with the supplied authentication method?" > > In response to an authentication query, a SAML authority returns > assertions > with authentication statements as follows: > * Rules given in Section 3.4.4 for matching against the <Subject> > element of the query identify the assertions that may be returned. > * If the AuthenticationMethod attribute is present in the query, at > least one <AuthenticationStatement> element in the set of returned > assertions MUST contain an AuthenticationMethod attribute that matches the > AuthenticationMethod attribute in the query. It is OPTIONAL for > the complete > set of all such matching assertions to be returned in the response. > * If any <RespondWith> elements are present and none of them contain > "saml:AuthenticationStatement", then the SAML authority returns no > assertions with authentication statements. (See Section 3.2.1.1 for more > information.) > ------------------------------------------ > > Also... Section 7.1 referred to AuthenticationMethod as an > element. So I've > taken the editorial privilege to adjust that section as well even > though we > did not discuss it on the con-call. Please let me know of objections or > suggested changes. > > The core draft 10 spec from lines 1826-1833 contained: > ------------------------------------------ > 7.1 Authentication Method Identifiers > > The <AuthenticationMethod> and <SubjectConfirmationMethod> > elements perform > different functions, although both can refer to the same underlying > mechanisms. <AuthenticationMethod> is a part of an authentication > statement, > which describes an authentication act that occurred in the past. The > <AuthenticationMethod> element indicates how that authentication was done. > Note that the authentication statement does not provide the means > to perform > that authentication, such as a password, key, or certificate. > > In contrast, <SubjectConfirmationMethod> is a part of the > <SubjectConfirmation> element, > ... > ------------------------------------------ > I have changed this to: > ------------------------------------------ > 7.1 Authentication Method Identifiers > > The AuthenticationMethod attribute of an <AuthenticationStatement> and the > <SubjectConfirmationMethod> element of a SAML subject perform different > functions, although both can refer to the same underlying mechanisms. An > authentication statement with an AuthenticationMethod attribute > describes an > authentication act that occurred in the past. The AuthenticationMethod > attribute indicates how that authentication was done. Note that the > authentication statement does not provide the means to perform that > authentication, such as a password, key, or certificate. > > In contrast, <SubjectConfirmationMethod> is a part of the > <SubjectConfirmation> element, > ... > ------------------------------------------ > > > Rob Philpott > RSA Security Inc. > The Most Trusted Name in e-Security > Tel: 781-515-7115 > Mobile: 617-510-0893 > Fax: 781-515-7020 > mailto:rphilpott@rsasecurity.com >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]