OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries

Hi Leif

On 26/03/2012 13:52, Leif Johansson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/26/2012 02:21 PM, Rainer Hoerbe wrote:

Another approach was defined by STORK in the extension element
<stork:RequestedAttribute>  to the AuthnRequest that could use the
existing message type. (see Document D5.8.2b
<https://www.eid-stork.eu/index.php?option=com_processes&Itemid=&act=streamDocument&did=1387>
section 6.1.4.8.1).

What would be the benefit of a new message type? Wouldn't an
extension of AuthnRequest be less invasive for existing IdPs?



That makes attribute requirements something the IdP has to deal
with for each transaction. I think that approach is bound to fail
especially since attribute requirements is usually something you
have to negotiate between the SP, IdP and the federation operator

This isn't something that can change so often as to warrant an
in-protocol flow.
So why is the feature in the attribute request message? And has been there from v1 of SAML?
If you have a model of an all attribute providing IDP, and an SP that offers multiple services with different authz requirements, then you need a feature such as this 

David


	Cheers Leif

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9wZnMACgkQ8Jx8FtbMZnd1OwCgsQXbon0ifQX2Q1v1C8wjOxtr
g4UAn3SrytfpGlzVIkapVSDFAVwND9lN
=GCOz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: security-services-help@lists.oasis-open.org




--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]