RE: [security-services] Groups - draft-sstc-nameid-05.pdf uploade d

["Linn, John" <jlinn@rsasecurity.com>]

I'm not sure that principal-level confirmation can be obtained within the
federation protocol per se; the principal isn't a direct peer in that
protocol and is trusting the authentication authority to act on its behalf.
As Scott suggested earlier in this thread, this may appropriately be a
guidance matter for authentication authorities, rather than something that
falls within the scope of a protocol spec. 

--jl

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Wednesday, October 29, 2003 11:32 AM
To: Linn, John; 'Beach, Michael C';
security-services@lists.oasis-open.org
Subject: RE: [security-services] Groups - draft-sstc-nameid-05.pdf
uploade d


> I didn't think to look back at earlier drafts before posting 
> my message earlier today, but did so subsequently.  -02, 
> e.g., makes the statement "Means shall be specified enabling 
> the authentication authority to obtain explicit confirmation 
> by the principal before a federation is established." The 
> intent was that a means to obtain consent must be available, 
> not to mandate that the authentication authority (acting 
> according to its policy) must invoke that means on every 
> federation instance. 

Subtle, but true. Question...does ID-FF in your mind address that
requirement? I'm not sure I'd claim that it has actually specified such a
means.

-- Scott