[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Authenticator to Subject Confirmation renaming
Phill I'd like to keep SubjectConfirmation instead of just Confirmation, for purposes of explicitness and ease of understanding. I would revise your definitions: Authentication The process by which AN AUTHENTICATION ASSERTION ISSUER determines that the party purporting to be X is or is not in fact X where X may be a name or a psuedonym. Authentication is out of scope of SAML, but assertion of authentication by an authentication assertion issuer is in scope SubjectConfirmation The process by which AN ASSERTION'S RELYING PARTY determines that the party purporting to be the assertion's subject is in fact the assertion's subject. Subject confirmation is in scope of SAML, and is a means for an assertion's relying party to determine whether the issuer of the assertion has authorized the entity presenting the assertion to the relying party to function as its subject. --bob Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564) Chief Scientist, Security and Privacy, Tivoli Systems, Inc. "Hallam-Baker, Phillip" <pbaker@verisign.com> on 08/21/2001 03:10:36 PM Please respond to "Hallam-Baker, Phillip" <pbaker@verisign.com> To: "'Tim Moses'" <tim.moses@entrust.com>, "Security-Services (E-mail)" <security-services@lists.oasis-open.org> cc: Subject: RE: Authenticator to Subject Confirmation renaming We discussed that in the call (or to be precise my perception is that we discussed it). Unfotch the message with the text went out after the document went out and not previously during the call as I intended. I did catch the bug Carlisle brought up. AuthenticationMethod is used in the Authentication assertion and in the SubjectConfirmationMethod while Subject ConfirmationData is only used in the SubjectConfirmation. We could move to simply 'ConfirmationMethod' in both places which I suspect would provide better for the Anonymous cases. Since confirmation is only something that is possible to a subject we might want to move from SubjectConfirmation to simply Confirmation. I think that the anonymity discussion is clarified by differentiating authentication and confirmation. Authentication The process by which we determine that the party purporting to be X is or is not in fact X where X may be a name or a psuedonym. Confirmation The process by which we determine that the party purporting to be a member of a set of Y of authorized users is or is not in fact a member. Authentication is one means of achieving confirmation Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 -----Original Message----- From: Tim Moses [mailto:tim.moses@entrust.com] Sent: Tuesday, August 21, 2001 2:16 PM To: Security-Services (E-mail) Subject: RE: Authenticator to Subject Confirmation renaming Phill - I think this reflects the discussion on the call this afternoon. Except that, to be consistent, we should change "AuthenticationMethod" to "SubjectConfirmationMethod". The element that retains the term "authentication" is this one ... <xsd:complexType name="AuthenticationAssertionType"> <xsd:complexContent> <xsd:extension base="saml:SubjectAssertionAbstractType"> <xsd:sequence> <xsd:element ref="saml:AuthenticationCode"/> <xsd:element name="AuthenticationInstant" type="timeInstant"/> <xsd:element name="AuthenticationLocale" type ="saml:AuthenticationLocaleType" minOccurs="0"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> All the best. TIm. -----Original Message----- From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] Sent: Tuesday, August 21, 2001 2:00 PM To: Security-Services (E-mail) Subject: Authenticator to Subject Confirmation renaming This is the new text: 1.1.1 Element <Subject> The <Subject> element specifies a party by any of the following means: * A name. * By information that allows the party to be authenticated. * By reference to another assertion or by containment of another assertion. If a <Subject> element contains more than one subject specification the issuer is asserting that all the subject specifications present specify the same subject. For example if both a <NameIdentifier> and a <Authenticator> element are present the issuer is asserting that the authentication data authenticates the party with the specified name. The following schema defines the <Subject> element: <element name="Subject" type="saml:SubjectType"/> <complexType name="SubjectType"> <choice maxOccurs="unbounded"> <element ref="saml:NameIdentifier" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:AssertionSpecifier" minOccurs="0" maxOccurs="unbounded"/> </choice> </complexType> 1.1.1.1 Element <SubjectConfirmation> The <SubjectConfirmation> element specifies a subject by specifying data that authenticates the subject. <AuthenticationMethod>[Any number] Each <Authentication> element specifies a URI that identify a protocol that may be used to authenticate the subject. <SubjectConfirmationData>[Optional] Each <SubjectConfirmationData> element specifies additional authentication information used by a specific authentication protocol. <ds:KeyInfo>[Optional] An XML Signature <ds:KeyInfo> element that specifies a cryptographic key held by the subject. URIs identifying common authentication protocols are specified in Section 4 . The following schema defines the <SubjectConfirmation> element: <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/> <complexType name="SubjectConfirmationType"> <sequence> <element ref="saml:AuthenticationMethod" maxOccurs="unbounded"/> <element name="SubjectConfirmationData" type="string" minOccurs="0"/> <element ref="ds:KeyInfo" minOccurs="0"/> </sequence> </complexType> Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 <<Phillip Hallam-Baker (E-mail).vcf>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC