[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups - authentication-context.pdf uploaded
So why can't we extend the authentication method schema instead? -----Original Message----- From: Jeff Hodges [mailto:Jeff.Hodges@Sun.COM] Sent: Tuesday, October 14, 2003 2:52 PM To: firstname.lastname@example.org Subject: Re: [security-services] Groups - authentication-context.pdf uploaded Reid, Irving wrote: > > The way I look at it, the new Authn Context proposal is a workaround for the > fact that we chose too restrictive a schema for the "authentication method" > field in SAML 1.0. correct. > It's not being used to attest to the strength of the _assertion_; it's being > used, in the context of a profile or set of terms-of-service agreed to by > the asserting and relying parties, to convey more details about how the > asserting party authenticated the subject. correct. > Said profile or terms-of-service can define a specific schema for the > Authentication Context, and a concept of "strength of authentication" based > on instances of that schema. correct, /but/ we try very hard to not have a notion of "strength" in the spec itself, because "strength of authn is in the eye of the relying party (aka beholder)". So, in the context of a trust circle or whatever you want to call it, there may be agreed-upon notions of "quality of authn", and particular expressions of said quality expressed via authn context components. JeffH To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.