RE: [security-services] authentication context

[<Frederick.Hirsch@nokia.com>]

Hi Michael

Yes, the recipient should decide the quality of authentication, but to do so may need more information than just that an authentication assertion. For example, the quality of SSL client authentication with X.509 certificates includes the quality of due diligence at certificate issuance time, the means used to protect the private key  and other factors. The authentication context provides a means to provide such information, allowing better decisions to be possible. Thus, it provides additional context for an authentication assertion.

regards, Frederick

Frederick Hirsch
Nokia Mobile Phones

-----Original Message-----
From: ext Michael McIntosh [mailto:mikemci@us.ibm.com]
Sent: Tuesday, October 14, 2003 10:30 PM
To: Hirsch Frederick (NMP-MSW/Boston)
Cc: security-services@lists.oasis-open.org
Subject: Re: [security-services] authentication context

Hi Frederick,

I was unable to attend the F2F referenced in your message. I am trying to understand the "context" of the Authentication Context proposal.
Isn't one of the main points of authentication assertions the ability to allow the recipient to decide for themselves what the quality of the authentication is?

Thanks,
Michael McIntosh
Java and Web Services Security Group
Security, Privacy and Cryptography Department
Thomas J. Watson Research Center
IBM Corporation

<Frederick.Hirsch@nokia.com> 09/09/2003 05:55 PM

To:        <security-services@lists.oasis-open.org>         cc:                 Subject:        [security-services] authentication context

Enclosed are the slides on authentication context presented at the F2F today.

regards, Frederick

Frederick Hirsch
Nokia Mobile Phones



To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

#### authentication-context.pdf has been removed from this note on October 14, 2003 by Michael McIntosh