[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] proposed addition to loa-authncontext doc re certified assurance
RL 'Bob' Morgan wrote on 2009-05-27: > The proposed method would take advantage of the ability to add attributes > to entities in metadata as specified in the metadata-attr draft. An > attribute name would be defined, perhaps: > > urn:oasis:names:tc:SAML:assurance-profile-certification > > and that attribute can be added to IdP entities in metadata with values > that indicate the assurance profiles that that entity can assert via > loa-authncontext. The party that is stating the certification is the > issuer (signer) of the metadata containing that entity. We may want to say less rather than more about "the basis for accepting attributes in metadata", or perhaps add some non-normative discussion about that to the EntityAttributes draft rather than here. > In discussions about this I think there has been some interest in having > the ability for the attribute in the metadata be signed independently of > the rest of the rest of the metadata. If this is desired presumably there > would need to be some spec text supporting it. You would just use a SAML Assertion in place of the Attribute in the EntityAttributes extension, which also allows for other constraints on the attribute (e.g. Audience). > There has also been recent discussion of how to do this kind of thing in > federations (or "federations") using protocols such as OpenID and WS-Trust > (ie, Information Card) rather than SAML. There may be a window of > opportunity to achieve some commonality among the protocols for this > stuff, which would be good. Though perhaps if we really thought this > would happen that might argue for this attribute being defined in its own > doc, since the use of authncontext for sending LoA wouldn't apply to these > other protocols. I don't think that's a big deal. People reference SAML already without necessarily meaning the whole spec. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]