[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication
> I see what you're saying - that maybe the relying party maybe doesn't > care whether Krb was used to validate the authentication - although I > believe Polar did mention a use-case for marking the Principal as being > untrusted if they choose to use their password in this way, so maybe the > information *is* useful :) Yeah, I think the point is that people differ in their opinions on this, and when that happens, I think it's a sign that either it's too complex to try and capture in band or that you need more detail. > We could use PasswordProtectedTransport in this case, but also allow the > IdP to claim that they used Kerberos to validate that authentication - > by allowing a PrincipalAuthenticationMechanism statement to be added to > a conforming instance document of the PasswordProtectedTransport class > (currently the class *doesn't* allow this). What do you think of that? I think that's more or less what I had in mind. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]