[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Issue of multiple authn statements during SSO
> [Rob] Are you saying we'd allow one or more statements in a bearer > assertion, but not multiple bearer assertions with authn methods? I > guess that works. Now that I understand your use case a bit better, I think I'm ok with it as it stands, without any restrictions. You basically want the SP to be able to collect up or ignore authentication statements as it sees fit. This idea wasn't at all clear to me in the original profile, so maybe I'm the one who was confused. Although when I read ID-FF, I get a strong sense that a single statement is implied there also. > [Rob] I would NOT want to constraint the assertion to only use one > Reauthn timestamp or using the shortest. > I think the reauthn timestamps should always apply to the method in the > specific statement in which it is specified. I would normally want a > reauthn timestamp on a low grade method to be longer than a high-grade > method. The semantic is simply that if the SP relies on a specific > method for graded authn checks, then the reauthn time associated with > that method applies. If you don't care about graded authn at the SP, > then maybe the shortest should be used. But that would not > work for the graded case. I think we need some language added to the spec to discuss this notion and how it would impact sessions. I guess you're saying that in efect, you're establishing a session based on perhaps only one of the statements, and if so, that's the Reauthenticate time you care about. I can buy that. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]