[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Credentials-collector use-cases
Tim, all, I think this is an important extension direction for SAML, making its scope more comprehensive to incorporate authentication processes in addition to reporting on their results. One point, on terminology: at least for me, the phrase "credential collector" doesn't seem evocative of the core function of validating an entity's authenticity, and instead suggests some sort of caching entity. Would it be clarifying to refer to the authentication authority's role in this process as that of "credential acceptor", and the intermediary (if present) as "credential forwarder"? In item 1 of the use cases, is formation of some authentication token actually optional on the first round? If no token is generated, it wouldn't seem that it could be sent in the following step (whether directly or by forwarding), and so the authentication authority won't know that it should initiate an authentication sequence from its side. We could speak in terms of having the system entity transfer an empty token as a form of request, but is this a necessary special case? In use case 1, item 4, and similarly at use case 2, item 5, suggest changing "token is an authentication assertion" to "token may contain an authentication assertion"; it may still prove necessary to incorporate some framing conveying a control channel for the iterated authentication exchange, distinguishing a completed (un)successful authentication exchange from one still in progress. I suspect that there's a broader related issue with use case 2's intermediary; I don't think it should necessarily be required (or, with some mechanisms, even possible) for the intermediary to interpret the inner contents of the tokens it forwards in order to determine whether they imply success, failure, or need for further continuation. --jl -----Original Message----- From: Tim Moses [mailto:tim.moses@entrust.com] Sent: Tuesday, September 30, 2003 4:45 PM To: 'OASIS Security Services group' Subject: [security-services] Credentials-collector use-cases Colleagues - Here is draft one of the credentials-collector use-case document. Comments welcomed. All the best. Tim. ----------------------------------------------------------------- Tim Moses 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]