OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Question on SAML V2.0 Identity AssuranceProfiles ,Version 1.0

I suggest you need to update your CS spec if you want to explicitly rule 
this out because your current text does not. In fact it appears to be 
general enough to allow for any assurance criteria which users wish to 
specify (which I would have thought is a good thing). Additionally

a) your schema allows multiple value and

b) your text implies it by stating " Multiple
values MAY be present."

Furthermore, whilst an AuthenticationContext might be singular wrt a 
uri, its semantics can be anything. So all this means is that we need to 
define a set of n*m URIs rather than n+m URIs. Inconvenient but not a 
show stopper.

thanks for your help

David

On 15/07/2011 18:44, Cantor, Scott E. wrote:
> On 7/15/11 1:40 PM, "David Chadwick"<d.w.chadwick@kent.ac.uk>  wrote:
>>
>> We have built a system which requires the LOA to be split into two
>> components, the registration LOA and the authentication/login LOA.
>>
>> I's like to know if you have envisaged your CD to be used to represent
>> this.
>
> No, it's explicitly not allowable because the binding here is to
> AuthenticationContext classes, which are singular in assertions without
> getting into some edge cases.
>
>> So could I for example send this in the IDP's metadata
>
> No, because that's illegal syntactically. You can have multiple values,
> but they're in parallel, not linked.
>
>> Similarly we want to be able to send this dynamically in a SAML
>> assertion. I presume it would be admissable there as well?
>
> No.
>
> -- Scott
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]