[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups - authentication-context.pdf uploaded
Anthony, I can only speak on behalf of the mobile folks, but find below a simple use case example for Authentication Context. > >Frederick, > >Some questions: > >(1) What is the requirement driving the Authentication Context There are a number of business use cases that drove the development of this specification, most of those use cases came from the companies that are users of a solution, not from product vendors. For mobile space, the three mobile profiles (Contract, DigitalID and Unregistered) were authored and contributed by the three mobile operators who are members in Liberty. A simple use case could be: A Service Provider having a business relationship with Mobile Operator A, has an end user accessing their service which requires both authentication and a low value payment (let's say < 5 USD, for a Java Game). The SP has a business agreement with Operator A which states that for any customer of Operator A which is postpaid, Operator will guarantee the transaction up to 5 USD, for any customer of Operator A which is prepaid (unknown to operator A), SP has to do an online payment transaction before delivering the service, since operator A doesn't "guarantee" the payment, i.e. there needs to be money on the prepaid account for the transaction to complete. In this scenario, it is essential for the SP to know if the end user and customer of Operator A is either Mobile Contract = postpaid = payment "guaranteed" by operator A Mobile Unregistered = prepaid, no "guarantee" by operator A This enables SP to make the right business decision and execute the transaction properly. >? Is it just tightly wrapped with the Liberty work that it can't be separated ? No it's not, it has been explicitly designed so that it can be separated.... It's addressing real business needs of a number of customers. The example above is just on of the many business use cases related to authentication context. >(2) What is the value of the Authentication Context, seems >like its just metadata that has no validity ? Seems like its being used to >attest to the strength of the assertion somehow ? Strength of an assertion is subjective and a business decision, authentication context simply allows one to request a certain authentication mechanism and then to be informed what mechanism was actually used. Any other semantics are related to the business model used within a specific transaction. -Timo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]