[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] comments on bindings-model-14
I will look into the WORD problem. Looks like I may have to abandon(obsolete) Word 97 and move on... >> >>1. altho the sections are numbered in the TOC, sections are >>unnumbered in the >>document body. A Word problem? Anyone else see this or is it just me? The proposed text sounds good to me. I dont see a problem with a lack of "password" subject confirmation as no such concept is involved in the example. Text for Section 5: ------------------------------- [SAMLcore] defines <SubjectConfirmationMethod> as part of the <SubjectConfirmation> element. The <SubjectConfirmation> element SHOULD be used by the Relying Party to confirm that the request or message came from the System Entity that corresponds to the Subject in the statement. The <SubjectConfirmationMethod> indicates the specific method which the Relying Party should use to make this judgement. This may or may not have any relationship to an authentication that was performed previously. Unlike the Authentication Method, the <SubjectConfirmationMethod> will usually be accompanied with some piece of information, such as a certificate or key, which will allow the Relying Party to perform the necessary check. It is anticipated that profiles and bindings will define and use several different values for <SubjectConfirmationMethod>, each corresponding to a different SAML usage scenario. Some examples are: 1. A user logs in with a password, and a temporary passcode or cookie signed is issued and used for confirmation purposes to avoid repeated exposure of the long term password. 2. There is no login, but an application request includes SAML assertions and is digitally signed. The associated public key is used for confirmation. >> >>2. wrt "Confirmation Method Identifiers" section >> >>It's lacking introduction text. I suggest we leverage the >>text Hal wrote that >>appeared in core-28... >> >> --------------------------------------- >> >><SubjectConfirmationMethod> is a part of the >><SubjectConfirmation>, which is >>used to allow the Relying Party to confirm that the request >>or message came >>from the System Entity that corresponds to the Subject in the >>statement. The >><SubjectConfirmationMethod> indicates the method which the >>Relying Party can >>use to do this in the future. This may or may not have any >>relationship to an >>authentication that was performed previously. Unlike the >>Authentication Method, >>the <SubjectConfirmationMethod> will usually be accompanied >>with some piece of >>information, such as a certificate or key, which will allow >>the Relying Party >>to perform the necessary check. >> >>There are many <SubjectConfirmationMethod>, because there are >>many different >>SAML usage scenarios. A few examples are: >> >>1. A user logs in with a password, but a temporary passcode >>or cookie is issued >>for confirmation purposes to avoid repeated exposure of the >>long term password. >> >>2. There is no login, but an application request is digitally >>signed. The >>associated public key is used for confirmation. >> >> --------------------------------------- >> >>It needs at least a reference to [SAMLCore] in the first >>sentence, and perhaps >>the first example needs redo because we don't have a password >>confirmation >>method at this point. >> >>I'd change the first "many" in the second paragraph to >>"several", and "few" to >>"couple" as appropriate. >> >> >>JeffH >> >>---------------------------------------------------------------- >>To subscribe or unsubscribe from this elist use the subscription >>manager: <http://lists.oasis-open.org/ob/adm.pl> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC