[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Clarifications to the spec to discuss for our call onThursday
--Apple-Mail-105--280014677 Content-Type: multipart/alternative; boundary=Apple-Mail-104--280014768 --Apple-Mail-104--280014768 Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable I like the idea of the value in the RST being referred to as the =20 ClientPsuedonym to distinguish it from the PPID which is the value the =20= IP/STS sends. I have always thought "audit mode" was an odd term, and probably not =20= indicative of what it is used for in the majority of circumstances. I =20= suspect however that changing it to "Audience Restricted" or some such =20= would be more confusing at this point. =3Djbradley On 8-Jan-09, at 12:43 PM, Michael McIntosh wrote: > Mike Jones <Michael.Jones@microsoft.com> wrote on 01/07/2009 =20 > 09:52:23 PM: > > > John Bradley, imi@lists.oasis-open.org > > > > 01/07/2009 09:52 PM > > > > OK, based on a private discussion on this topic with John, I=92m = going > > to suggest that we change the language =93The IP/STS MAY use this > > value as-is or as an input seed to a custom function to derive a > > value for the PPID claim=94 to =93The IP/STS SHOULD combine this = PPID > > seed value with constant information known to the IP/STS and pass > > the combination through a cryptographically non-invertible function, > > such as a cryptographic hash function, to generate the PPID claim > > value sent in the signed token=94. > > Two things... > > 1. I've always had trouble with using the term "audit mode" for =20 > cards where the IdP wants knowledge of the RP identity. I can think =20= > of many reasons why an IdP might want to know the RP identity that =20 > are not limited to audit/record-keeping. > > 2. I think part of the problem with this discussion is that we keep =20= > using the term PPID when we mean ClientPsuedonym. The =20 > ClientPsuedonym is typically used by an IdP in the computation of a =20= > PPID - and as John points out, a poorly implemented IdP might use =20 > the identity function for that computation, but calling them the =20 > same thing increases that probability. > --Apple-Mail-104--280014768 Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; ">I like the idea of the value in = the RST being referred to as the ClientPsuedonym to = distinguish it from the PPID which is the value the IP/STS = sends.<div><br></div><div>I have always thought "audit mode" was an odd = term, and probably not indicative of what it is used for = in the majority of circumstances. I suspect however that changing = it to "Audience Restricted" or some such would be more confusing at = this point.</div><div><br></div><div>=3Djbradley<br><div><div>On = 8-Jan-09, at 12:43 PM, Michael McIntosh wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><div><p><tt>Mike Jones <<a = href=3D"mailto:Michael.Jones@microsoft.com";>Michael.Jones@microsoft.com</a= >> wrote on 01/07/2009 09:52:23 PM:<br> <br> > John Bradley, <a = href=3D"mailto:imi@lists.oasis-open.org";>imi@lists.oasis-open.org</a></tt>= <br> <tt>> <br> > 01/07/2009 09:52 PM</tt><br> <tt>> <br> > OK, based on = a private discussion on this topic with John, I=92m going<br> > to = suggest that we change the language =93The IP/STS MAY use this <br> > = value as-is or as an input seed to a custom function to derive a <br> > = value for the PPID claim=94 to =93The IP/STS SHOULD combine this = PPID <br> > seed value with constant information known to the IP/STS and = pass <br> > the combination through a cryptographically non-invertible = function,<br> > such as a cryptographic hash function, to generate the = PPID claim <br> > value sent in the signed token=94.</tt><br> <br> = <tt>Two things...</tt><br> <br> <tt>1. I've always had trouble with = using the term "audit mode" for cards where the IdP wants knowledge of = the RP identity. I can think of many reasons why an IdP might want to = know the RP identity that are not limited to = audit/record-keeping.</tt><br> <br> <tt>2. I think part of the problem = with this discussion is that we keep using the term PPID when we mean = ClientPsuedonym. The ClientPsuedonym is typically used by an IdP in the = computation of a PPID - and as John points out, a poorly implemented IdP = might use the identity function for that computation, but calling them = the same thing increases that = probability.</tt></p></div></blockquote></div><br></div></body></html>= --Apple-Mail-104--280014768-- --Apple-Mail-105--280014677 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGrzCCAz8w ggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcx KDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxA dGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpB MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/ p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDow OKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgw DQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A 9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI Tq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8wggNoMIIC0aADAgECAhAd94+bIYviuSaQ w/qU/yWPMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQTAeFw0wODEyMTIwMTU0MzFaFw0wOTEyMTIwMTU0MzFaMIGfMR8wHQYDVQQDExZUaGF3 dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMR4wHAYJ KoZIhvcNAQkBFg9qYnJhZGxleUBtZS5jb20xHTAbBgkqhkiG9w0BCQEWDnZlN2p0YkBtYWMuY29t MRwwGgYJKoZIhvcNAQkBFg12ZTdqdGJAbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxB2GGbZ5p8mVtg16CSDXeF8F3D+5sbs8L4b/YrHt/BvtQdE8GY202cUko/b/rXTUA0JC XZRDrOiH7ZxcqI4alJNel9AcSLepcdHN4+t2zhvWilm+YF0/r6m/1PikkVT9TWic61IZMpNWIUkk A+MWzEjChYPefdSMhxikhhMFZ0sv2qPE9pmdaPtD2uF4MwKnIzdZYo+X7rWoaXHIdsZwZDU3HdR5 rVuK5s9xvRED7TZgwE1/yHzHnTbedUWPdNNUlL24Jp3iiVzjZan8zOCn6x4b8O1QPN5b/FOZrerq FDZ2zhIBsWEcKdIxqIqPdVkrYvEfGBLMe1QIORu0J56L/QIDAQABo10wWzBLBgNVHREERDBCgRBq YnJhZGxleUBtYWMuY29tgQ9qYnJhZGxleUBtZS5jb22BDnZlN2p0YkBtYWMuY29tgQ12ZTdqdGJA bWUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEADhjvX5w/BXN7OL5y1ZfydfmJ RKezNqugUDf8XbKmmMR/o+vjx395pBpO9QF8hQwtKNDuvoxLTNDMWdcCNbvaEpqREXc7liV9FfA5 ndAB1VgDqYDjY9M9LU54LH8uqEx7+pX6qa6KoR8eRHby9zi+iuSkJ4GLI59RBnVI54x4/acxggMQ MIIDDAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5 KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHfeP myGL4rkmkMP6lP8ljzAJBgUrDgMCGgUAoIIBbzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0wOTAxMDgxNTU3MzZaMCMGCSqGSIb3DQEJBDEWBBSMFEAYkaS73VvtrVFx F8p771e2mjCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls IElzc3VpbmcgQ0ECEB33j5shi+K5JpDD+pT/JY8wgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMj VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEB33j5shi+K5JpDD+pT/JY8wDQYJ KoZIhvcNAQEBBQAEggEAAQ1g4gLPXUgDsuYi7ofognZaQTKaral4H7TdsMoa46wNVPqihkTro5di Go5tg+qiDFPbVKH3xUPTeLSrkmwlB2ZusP/HDUQy5MdCqhqXPXxnvxnC2QqwpX5WoZqr+OlSOcU0 zuFauQ5I1AZZigarpzMrHpkkJ3Z7gTjmeFMy4xSJIAkX8Ba8d/Z/8E4oQg2yqmJhwkxmLkUXUysZ cKeR8+vMeNb9BH9L08+Q25lMZHplAo9RkXa3V/Ib0F25BuxPUHCagdHKan149ywIyehRKYMepzPZ ePKLrBD8jbk7ltIGIg402n3Uiiy8l+jizPXcdEzj9nWNdVT76v4B2GMo9gAAAAAAAA== --Apple-Mail-105--280014677--
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]