OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)




Scott Cantor wrote on 3/12/2004, 6:12 PM:

 > > Assuming we're talking about the same thing (that the SP needs to be
 > > able to tell the IdP that it wants a new persistent relationship if
 > > one doesn't already exist) -- it is needed.
 >
 > That's the implied semantic already. The question is why an SP would
 > need to be able to say that it only wanted an existing identifier
 > and not a new one, if necessary.

When the SP didn't want to create a federation, but is willing to use
one if it already exists.

 > > Of course, in such a case, the IdP can still confirm the federation
 > > with the user, but will, in the right circumstances accept the SPs
 > > request without needing additional confirmation and create the new
 > > permanent relationship with the user.
 >
 > If the issue is confirmation,

The issue is that the request should match the semantics of the
operation requested by the user and/or site.  So, for example, the user
goes to a site which figures out the user is from a particular IdP (not
saying how, but you can guess it is some form of a cookie) and the
SP wants to use an existing federation, but it does not yet want to
go to the point of establishing a federation if one doesn't already
exist.

I am very concerned about not being able to ask for an authentication
without implying that I am also asking for a federation.  I think that
people who are concerned with privacy would also be concerned about
a protocl that does not allow that distinction.

Conor




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]