OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Credentials Collector proposal for SAML 2 .0...

Title: Credentials Collector proposal for SAML 2.0...


I like the proposal - good start!

Few comments/suggestions:

1. One interesting topic worth considering for the Discussion or Issues/Requirements section - protection/blinding of certain types of authenticators from CC in the CC-Translator scenario. In other words - in some deployments, where CC-Translator and AA are in separate security domains, it is often undesirable to reveal certain types of authenticators (static shared secrets, e.g. passwords) to CC-Translator. Such protection may not be needed for one-time passwords and challenge-response methods. I am not sure how to accomplish that - it could either non-standard (Type 2 protocol?) or out-of-SAML-scope topic, but nevertheless, I think, it is worthwhile pointing out this issue..

2. Using WS-Trust lingo - AA can be viewed as a Security Token Service (STS) with an interesting scenario of  AA/STS being WS-Trust Credential Validatior as it is described in WS-Trust spec. So, AA-Validator could possibly be another (fourth) deployment scenario where CC-Authenticator will invoke AA-Validator to validate certification path and/or cert revocation status, for example. Or this scenario could be hybridized with the CC-Authenticator scenario.

I also support your recommendation for Approach #3 - and RSA Security, as well as other co-authors of the spec strongly advocating submission of WS-Trust spec to standards organization.

Thank you,

Slava Kavsan

RSA Security

-----Original Message-----
From: Carlisle Adams [mailto:carlisle.adams@entrust.com]
Sent: Tuesday, March 11, 2003 2:16 PM
To: 'security-services@lists.oasis-open.org'
Subject: [security-services] Credentials Collector proposal for SAML 2.0...

Hi all,

I've finally gotten around to updating and filling out the Credentials Collector proposal.  I've tried to take into account the brief discussions a few of us have had so far on this topic.  Further comment/discussion is welcome, on the list and perhaps in an upcoming concall.


<<SAML Credentials Collector.doc>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]