OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded


Item 1:
The document uses the terms "identity provider" and "authentication authority".  Only "identity provider" is defined in the Definitions section, and the definition refers to providing "Principal authentication".  I am not clear whether or not these are used
interchangeably or are intended to specifically reference different services.

Item 2:
The document specifically states that federations "must" be explicitly consented to by the user.  I understand the implications if the "must" changes to a "should", but I am mulling a consideration inside the enterprise as follows:  The motivation of SSO inside an enterprise is to reduce costs by reducing account maintenance activities (which in turn is accomplished through reduction in the number of accounts and reduction in the number of password resets required).  In that case, allowing the user to chose not to federate accounts may well go against the cost motive of the enterprise (not always bad motives).  Assuming the enterprise will honor necessary privacy considerations and desire maintaining at least some degree of user satisfaction, it seems this would be a case where the enterprise may legitimately not allow for user opt-out.  I realize this would open the door to potentially inappropriate forced federation.

Affiliations would seem to be a means to address this internal enterprise need.  The disadvantage I see is it would force enterprise internal service providers to all adopt the same identity for the user.  Given the myriad of legacy systems in a large enterprise, synchronization of identities among systems is not always possible.

Do I understand this correctly?


-----Original Message-----
From: cantor.2@osu.edu [mailto:cantor.2@osu.edu]
Sent: Monday, October 27, 2003 6:42 PM
To: security-services@lists.oasis-open.org
Subject: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded

The document draft-sstc-nameid-05.pdf has been submitted by Scott Cantor
(cantor.2@osu.edu) to the OASIS Security Services TC document

Document Description:
Schema revisions, added glossary section.

Download Document:  

View Document Details:

PLEASE NOTE:  If the above links do not work for you, your email
may be breaking the link into two pieces.  You may be able to copy and
the entire link address into the address field of your web browser.

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]