OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Credentials-collector use-cases

Tim, all,

I think this is an important extension direction for SAML, making its scope
more comprehensive to incorporate authentication processes in addition to
reporting on their results.  One point, on terminology: at least for me, the
phrase "credential collector" doesn't seem evocative of the core function of
validating an entity's authenticity, and instead suggests some sort of
caching entity.  Would it be clarifying to refer to the authentication
authority's role in this process as that of "credential acceptor", and the
intermediary (if present) as "credential forwarder"? 

In item 1 of the use cases, is formation of some authentication token
actually optional on the first round?  If no token is generated, it wouldn't
seem that it could be sent in the following step (whether directly or by
forwarding), and so the authentication authority won't know that it should
initiate an authentication sequence from its side.  We could speak in terms
of having the system entity transfer an empty token as a form of request,
but is this a necessary special case? 

In use case 1, item 4, and similarly at use case 2, item 5, suggest changing
"token is an authentication assertion" to "token may contain an
authentication assertion"; it may still prove necessary to incorporate some
framing conveying a control channel for the iterated authentication
exchange, distinguishing a completed (un)successful authentication exchange
from one still in progress.  I suspect that there's a broader related issue
with use case 2's intermediary; I don't think it should necessarily be
required (or, with some mechanisms, even possible) for the intermediary to
interpret the inner contents of the tokens it forwards in order to determine
whether they imply success, failure, or need for further continuation. 


-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Tuesday, September 30, 2003 4:45 PM
To: 'OASIS Security Services group'
Subject: [security-services] Credentials-collector use-cases

Colleagues - Here is draft one of the credentials-collector use-case
document.  Comments welcomed.  All the best.  Tim.

Tim Moses

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]