[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: re: [dss] Call for claimed identity scenarios
At 10:38 AM 11/4/2003 +0000, Nick Pope wrote: >I agree that we do not want to define new mechanisms. I was more thinking >that if a DSS server required to use one of the existing authentication >mechanisms (kerberos, SAML, Liberty ...) for authenticating it users which >is stronger what is generally required for user login to web services this >can be supported. But authenticating with a kerberos ticket or SAML assertion is more than just sending it to the server. For example, a SAML Assertion may be like a certificate - it may have a public key in it, and the subject has to prove that it possesses the private key. Similarly with kerberos, there's cryptography that has to happen. So I don't think it's as simple as just transmitting these things in <ClaimedIdentity>. However, underlying protocols like WSS and TLS have considered how to support various authentication methods, so I think we should just rely on them. For example, there's WSS work on using passwords, and X.509 certificates, and SAML assertions, and Kerberos tickets, and there's work on using TLS with X.509, PGP, Kerberos, and SRP. I think our profiles should be able to find anything they need there. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]