OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Definitions: authentication, etc.

Title: Definitions: authentication, etc.

Colleagues - Clear definition of some key concepts is impeding progress in the Assertions and Protocols sub-committees.  For that reason, I offer these definitions as candidate entries for the Glossary.

Credential - A data structure that contains at least one attribute (e.g. a name or entitlement) of a Principal.  It may, in addition, contain information (such as a password digest or public key) by which the Principal can demonstrate that it is the subject of the credential.  (Note: the current Glossary defines "credential" in terms of what it "is used for", not what it "is".   So, I think the definition presented here is more useful for our purposes).

Credential verification - The process of verifying that a specific Principal is the subject of a specific credential.
Authentication - Authentication is identical to credential verification.  (Note: the current Glossary defines "authentication" only in terms of "identity".  The current sentiment in the Assertions group seems to be to downplay the distinction between "name" and any other attribute of a Principal.  Therefore, we need a term that applies only to verifying a credential.  We could redefine "authentication" to serve this role, or use the term "credential verification" instead.  I don't have strong views on this choice).

Credential issuance - The process of creating and making available a credential.
Credential translation - Credential translation is a two step process, involving credential verification and credential issuance.  Both the verified and issued credentials must apply to the same Principal.  But, the attributes in each credential may be different.

By way of explanation, the Authorities and PDP in SAML perform credential translation, which includes a credential verification (or authentication) step.  The PEP performs only a credential verification (or authentication) step; authenticating the response from the PDP.  No element of the SAML model performs only a credential issuance step.

Best regards.  Tim.

---------------------------------------------------------------------------------------
Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC