re: [dss] Call for claimed identity scenarios

[Trevor Perrin <trevp@trevp.net>]

At 10:38 AM 11/4/2003 +0000, Nick Pope wrote:

>I agree that we do not want to define new mechanisms.  I was more thinking
>that if a DSS server required to use one of the existing authentication
>mechanisms (kerberos, SAML, Liberty ...) for authenticating it users which
>is stronger what is generally required for user login to web services this
>can be supported.

But authenticating with a kerberos ticket or SAML assertion is more than 
just sending it to the server.  For example, a SAML Assertion may be like a 
certificate - it may have a public key in it, and the subject has to prove 
that it possesses the private key.  Similarly with kerberos, there's 
cryptography that has to happen.

So I don't think it's as simple as just transmitting these things in 
<ClaimedIdentity>.  However, underlying protocols like WSS and TLS have 
considered how to support various authentication methods, so I think we 
should just rely on them.

For example, there's WSS work on using passwords, and X.509 certificates, 
and SAML assertions, and Kerberos tickets, and there's work on using TLS 
with X.509, PGP, Kerberos, and SRP.  I think our profiles should be able to 
find anything they need there.

Trevor