RE: ISSUE[UC-5-01:AuthCProtocol]

["Orchard, David" <dorchard@jamcracker.com>]

Respectfully, I disagree with dropping of non-goals.  Explicitly stating
which requirements are out of scope serves many purposes.  The out-of-scope
requirements give us a clear stated direction to move forward for future
revisions, they prevent the "did you think about" questions, and they give a
complete picture of the landscape of the security arena.

Cheers,
Dave
 
> -----Original Message-----
> From: Edwards, Nigel [mailto:Nigel_Edwards@hp.com]
> Sent: Wednesday, February 07, 2001 9:40 AM
> To: 'security-use@lists.oasis-open.org'
> Subject: ISSUE[UC-5-01:AuthCProtocol]
> 
> 
> > ISSUE[UC-5-01:AuthCProtocol] Straw Man 1 explicitly makes
> > challenge-response authentication a non-goal. Is specifying which
> > types of authc are allowed and what protocols they can use necessary
> > for this document? If so, which types and which protocols?
> > 
> > 
> In my opinion it is better to drop the non-goal in favour of listing
> explicitly
> what is in scope.
> 
> I propose that we reuse much of the text from version 0.8a of the S2ML
> specification section 2.1. Except that we drop the third bullet point
> (it is too vague). This gives us the flowing.
> 
> <suggestedtext>
> 
> [R-SupportedAuthenticationModes]
>   *Server-authenticated SSL connections from browser to web server
>   *Password and user-certificate authentication from web browser
>   *Existing secure peer-to-peer programming infrastructure based
>    on SSL, S/MIME, and XML Signature [XML-SIG].
> 
> </suggestedtext>
> 
> In the last bullet listed above, I have changed "server-to-server" to
> "peer-to-peer" 
> 
> The following bullet has been removed (I believe it to be too vague).
>  *Existing web server and related user authentication mechanisms
> 
> One question to which I don't have the answer, is should SASL 
> [RFC 2222] be mentioned?
> 
> Nigel.
>