[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Do we want to add some discussion text for"Authenticated context"
Irving et. al.
>As a general point, perhaps we need some discussion of "Authenticated
>context". That is, if a SAML object (assertion, request or response) is
>received as part of some larger message or connection, authentication
>information from that context MAY apply to the assertion.
Hmmm... it depends. If the intent of authentication in the wider protocol
is simply to authenticate the identity of the sender, then the information
probably does NOT apply.
If the intent of authentication is to establish the integrity of the
message,
then... hmmm... you should feel less strongly the need for subject
confirmation
at a minimum.
If the intent of authentication is to establish that the sender expresses
some
intent related to the assertion and the contents of the message, then as
you
say the authentication information MAY apply to the assertion (and to the
message).
>Examples of such
>authentication information include digital signatures on enveloping
messages
>and SSL authentication on connections. It is the responsibility of the
SAML
>binding or profile for a particular protocol to define how authentication
>information from that protocol applies to the SAML data.
I think it's the responsibility of the binding or profile -- NOT the core.
--bob
Bob Blakley (email: blakley@us.ibm.com phone: +1 512 436 1564 fax: +1
512 436 1919)
Chief Scientist, Security and Privacy, Tivoli Systems, Inc.
Irving Reid <Irving.Reid@baltimore.com> on 10/30/2001 10:21:40 AM
To: "'security-services@lists.oasis-open.org'"
<security-services@lists.oasis-open.org>
cc:
Subject: [security-services] Do we want to add some discussion text for
"Authenticated context "
As a general point, perhaps we need some discussion of "Authenticated
context". That is, if a SAML object (assertion, request or response) is
received as part of some larger message or connection, authentication
information from that context MAY apply to the assertion. Examples of such
authentication information include digital signatures on enveloping
messages
and SSL authentication on connections. It is the responsibility of the SAML
binding or profile for a particular protocol to define how authentication
information from that protocol applies to the SAML data.
I'm inclined to think that this discussion belongs in the Core, since all
uses of SAML might want to refer to it.
- irving -
-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for
direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.
This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC