OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Changes to fix text for "AuthenticationMethod" attribute.


Rob -
1. Your changes look fine to me.
2. I decided to add a new PE for the changes in section 7.1. It is cleaner
this way.

Jahan

----------------
Jahan Moreh
Chief Security Architect
310.286.3070

> -----Original Message-----
> From: Philpott, Robert [mailto:rphilpott@rsasecurity.com]
> Sent: Tuesday, May 13, 2003 2:48 PM
> To: 'security-services@lists.oasis-open.org'
> Subject: [security-services] Changes to fix text for
> "AuthenticationMethod" attribute.
>
>
> Hi folks...
>
> Note that in addition to the changes in section 3.3.3
> (AuthenticationQuery)
> we discussed on today's call, the changes to fix the AuthenticationMethod
> attribute issue also impacted section 7.1.  Could folks please carefully
> review the text and let me know if I've screwed anything up.
>
> Jahan - in the errata, please also mention the impact on section 7.1.
>
> Section 3.3.3: Core draft 10 lines 1114-1128 are currently:
> ------------------------------------------
> This element is of type AuthenticationQueryType, which extends
> SubjectQueryAbstractType with the addition of the following element:
>
> <AuthenticationMethod> [Optional]
>
> A filter for possible responses. If it is present, the query made is "What
> assertions containing authentication statements do you have for
> this subject
> with the supplied authentication method?"
>
> In response to an authentication query, a SAML authority returns
> assertions
> with authentication statements as follows:
> *	Rules given in Section 3.4.4 for matching against the <Subject>
> element of the query identify the assertions that may be returned.
> *	If the <AuthenticationMethod> element is present in the query, at
> least one <AuthenticationMethod> element in the set of returned assertions
> MUST match. It is OPTIONAL for the complete set of all such matching
> assertions to be returned in the response.
> *	If any <RespondWith> elements are present and none of them contain
> "saml:AuthenticationStatement", then the SAML authority returns no
> assertions with authentication statements. (See Section 3.2.1.1 for more
> information.)
> ------------------------------------------
> I've replaced the -10 text with:
> ------------------------------------------
> This element is of type AuthenticationQueryType, which extends
> SubjectQueryAbstractType with the addition of the following attribute:
>
> AuthenticationMethod [Optional]
>
> If present, specifies a filter for possible responses. Such a
> query asks the
> question "What assertions containing authentication statements do you have
> for this subject with the supplied authentication method?"
>
> In response to an authentication query, a SAML authority returns
> assertions
> with authentication statements as follows:
> *	Rules given in Section 3.4.4 for matching against the <Subject>
> element of the query identify the assertions that may be returned.
> *	If the AuthenticationMethod attribute is present in the query, at
> least one <AuthenticationStatement> element in the set of returned
> assertions MUST contain an AuthenticationMethod attribute that matches the
> AuthenticationMethod attribute in the query. It is OPTIONAL for
> the complete
> set of all such matching assertions to be returned in the response.
> *	If any <RespondWith> elements are present and none of them contain
> "saml:AuthenticationStatement", then the SAML authority returns no
> assertions with authentication statements. (See Section 3.2.1.1 for more
> information.)
> ------------------------------------------
>
> Also... Section 7.1 referred to AuthenticationMethod as an
> element.  So I've
> taken the editorial privilege to adjust that section as well even
> though we
> did not discuss it on the con-call.  Please let me know of objections or
> suggested changes.
>
> The core draft 10 spec from lines 1826-1833 contained:
> ------------------------------------------
> 7.1 Authentication Method Identifiers
>
> The <AuthenticationMethod> and <SubjectConfirmationMethod>
> elements perform
> different functions, although both can refer to the same underlying
> mechanisms. <AuthenticationMethod> is a part of an authentication
> statement,
> which describes an authentication act that occurred in the past. The
> <AuthenticationMethod> element indicates how that authentication was done.
> Note that the authentication statement does not provide the means
> to perform
> that authentication, such as a password, key, or certificate.
>
> In contrast, <SubjectConfirmationMethod> is a part of the
> <SubjectConfirmation> element,
> ...
> ------------------------------------------
> I have changed this to:
> ------------------------------------------
> 7.1 Authentication Method Identifiers
>
> The AuthenticationMethod attribute of an <AuthenticationStatement> and the
> <SubjectConfirmationMethod> element of a SAML subject perform different
> functions, although both can refer to the same underlying mechanisms. An
> authentication statement with an AuthenticationMethod attribute
> describes an
> authentication act that occurred in the past. The AuthenticationMethod
> attribute indicates how that authentication was done. Note that the
> authentication statement does not provide the means to perform that
> authentication, such as a password, key, or certificate.
>
> In contrast, <SubjectConfirmationMethod> is a part of the
> <SubjectConfirmation> element,
> ...
> ------------------------------------------
>
>
> Rob Philpott
> RSA Security Inc.
> The Most Trusted Name in e-Security
> Tel: 781-515-7115
> Mobile: 617-510-0893
> Fax: 781-515-7020
> mailto:rphilpott@rsasecurity.com
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]