OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication

> I see what you're saying - that maybe the relying party maybe doesn't 
> care whether Krb was used to validate the authentication - although I 
> believe Polar did mention a use-case for marking the Principal as being 
> untrusted if they choose to use their password in this way, so maybe the 
> information *is* useful :)

Yeah, I think the point is that people differ in their opinions on this, and
when that happens, I think it's a sign that either it's too complex to try
and capture in band or that you need more detail.

> We could use PasswordProtectedTransport in this case, but also allow the 
> IdP to claim that they used Kerberos to validate that authentication - 
> by allowing a PrincipalAuthenticationMechanism statement to be added to 
> a conforming instance document of the PasswordProtectedTransport class 
> (currently the class *doesn't* allow this). What do you think of that?

I think that's more or less what I had in mind.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]