RE: [security-services] proposed addition to loa-authncontext doc re certified assurance

["Scott Cantor" <cantor.2@osu.edu>]

RL 'Bob' Morgan wrote on 2009-05-27:
> The proposed method would take advantage of the ability to add attributes
> to entities in metadata as specified in the metadata-attr draft.  An
> attribute name would be defined, perhaps:
> 
>    urn:oasis:names:tc:SAML:assurance-profile-certification
> 
> and that attribute can be added to IdP entities in metadata with values
> that indicate the assurance profiles that that entity can assert via
> loa-authncontext.  The party that is stating the certification is the
> issuer (signer) of the metadata containing that entity.

We may want to say less rather than more about "the basis for accepting
attributes in metadata", or perhaps add some non-normative discussion about
that to the EntityAttributes draft rather than here.

> In discussions about this I think there has been some interest in having
> the ability for the attribute in the metadata be signed independently of
> the rest of the rest of the metadata.  If this is desired presumably there
> would need to be some spec text supporting it.

You would just use a SAML Assertion in place of the Attribute in the
EntityAttributes extension, which also allows for other constraints on the
attribute (e.g. Audience).
 
> There has also been recent discussion of how to do this kind of thing in
> federations (or "federations") using protocols such as OpenID and WS-Trust
> (ie, Information Card) rather than SAML.  There may be a window of
> opportunity to achieve some commonality among the protocols for this
> stuff, which would be good.  Though perhaps if we really thought this
> would happen that might argue for this attribute being defined in its own
> doc, since the use of authncontext for sending LoA wouldn't apply to these
> other protocols.

I don't think that's a big deal. People reference SAML already without
necessarily meaning the whole spec.

-- Scott