OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: ..the notorious bearer subject..

Title: RE: ..the notorious bearer subject..

Evan - To my mind, anonymity and authentication method are separate issues.  It is possible for an anonymous individual to be strongly authenticated, not merely through possession of a bearer token.  On the other hand, it is possible for a uniquely-identifiable individual to be authenticated through a bearer token.

So, I think bearer tokens are only as applicable in the anonymous case as they are in all other cases.

Best regards.  Tim.

-----Original Message-----
From: Evan Prodromou [mailto:eprodromou@securant.com]
Sent: Monday, July 16, 2001 3:40 PM
To: security-services@lists.oasis-open.org
Subject: Re: ..the notorious bearer subject..


>>>>> "MP" == Mishra, Prateek <pmishra@netegrity.com> writes:

    MP> Bob, As part of crunching thru the third f2f whiteboard draft,
    MP> we find numerous references to "bearer" as one possibility for
    MP> the subject element in an assertion.

    MP> [...]
 
    MP> (2) Is this really required within SAML?  What use-case did
    MP> you have in mind?
 
Prateek,

It seems to me that "bearer" subjects would be important for anonymous
assertions.

One use case might be for anonymous Web browsing. The semantics would
be something like, "Yeah, that's one of my users, but you don't need
to know _exactly_ who it is."

Another use case might be for cryptographically bound assertions to
business payloads. For example,

        <some-business-xml>

             <order-amount>$10M</order-amount>
             <product>pencils</product>

             <AuthenticationDecisionAssertion>

                <Subject><Bearer /></Subject>

                <Action>Make Order</Action>

                <Object>$10M worth of pencils</Object>

             </AuthenticationDecisionAssertion>

        </some-business-xml>

The semantics here are, "I, PDP for company A, have decided that it's
quite OK for the creator of this business XML to make an order for
$10M worth of pencils. You don't need to know who did it, just fulfill
the order. So mote it be."

~ESP

--
Evan Prodromou, Senior Architect        eprodromou@securant.com
Securant Technologies, Inc.             415-856-9551


------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: security-services-request@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC