[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] Call for claimed identity scenarios
At 01:28 PM 11/3/2003 -0500, Rich Salz wrote: >I think that ClaimedIdentity is misleading. Or I don't undestand the >proposed semantics. > >I believe the intent is indicate that a role-based key should be used to >perform the signature, rather than the default key associated with the >authenticated client. In other words, while I might authenticate as "Ken >Lay" I will be signing the auditor's report using the "corporate officer" key. The requirement for this came out of the f2f meeting. The idea, like you suggest, was that the client's authentication identity may not be enough to tell the server who he is, or what role he is operating under. But the server may use this "claimed identity" to determine more than just which key to sign with. For example, the requirements doc says: """ 3.5.3 Claimed Identity - The identity or role asserted by the client. The server may use this to determine signature contents, processing steps, the value of the Requestor Identity element, which key to use, etc.. """ The wd-04 schema just has this as a string: <xs:element name="ClaimedIdentity" type="xs:string"/> Maybe it needs to be more complex. Still, I'm not in favor of extending this to support authentication, by sending SAML tokens or Kerberos tickets or whatnot. I think those should be handled by a lower level, and <ClaimedIdentity> should just be used to clarify or supply additional context to this lower-level authentication. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]