[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] ISSUE: core-27: Should AuthenticationMeth odsand ConfirmationMethods be listed in the same subsection?
> ..and we have (line 1550) "7.1. Confirmation Method
> Identifiers" containing a
> list of ostensible authentication protocols -- but *are they* ??
>
> For example, "sender vouches" is a confirmation method
> invented in the SAML
> context and is not a well-known authentication
> method/mechanism. The same is
> true for "SAML Artifact".
>
> It may be reasonable to keep all these items together in one
> list if each item
> is explicitly identified whether it is an AuthenticationMethod, a
> ConfirmationMethod, or both. Otherwise, we should have separte lists.
I think they should be split into two lists and in fact use different identitiers.
In addition to the points made by Jeff:
Even when they appear to be the same, they may not be. For example, Authentication via Kerberos may be done in several ways, all of which involve the use of a long term secret and result in the issuance of a ticket-granting-ticket. Subject Confirmation using Kerberos is based on a session key, contained in a Service-ticket. They are as much alike as Barney Franks and Fenway Franks.
Even when a X.509 cert is used, the exact mechanism (SSL, Dsig, Application defined challenge) may differ between initial AuthN and later confirmation.
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC