[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries
Hi Leif On 26/03/2012 13:52, Leif Johansson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/26/2012 02:21 PM, Rainer Hoerbe wrote:Another approach was defined by STORK in the extension element <stork:RequestedAttribute> to the AuthnRequest that could use the existing message type. (see Document D5.8.2b <https://www.eid-stork.eu/index.php?option=com_processes&Itemid=&act=streamDocument&did=1387> section 6.1.4.8.1). What would be the benefit of a new message type? Wouldn't an extension of AuthnRequest be less invasive for existing IdPs?That makes attribute requirements something the IdP has to deal with for each transaction. I think that approach is bound to fail especially since attribute requirements is usually something you have to negotiate between the SP, IdP and the federation operator This isn't something that can change so often as to warrant an in-protocol flow.
So why is the feature in the attribute request message? And has been there from v1 of SAML?
If you have a model of an all attribute providing IDP, and an SP that offers multiple services with different authz requirements, then you need a feature such as this
David
Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wZnMACgkQ8Jx8FtbMZnd1OwCgsQXbon0ifQX2Q1v1C8wjOxtr g4UAn3SrytfpGlzVIkapVSDFAVwND9lN =GCOz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org For additional commands, e-mail: security-services-help@lists.oasis-open.org
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security School of Computing, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]