OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML Public key authentication methods


In trying to map the SAML authentication methods to authentication 
context classes, I've hit a snag, regarding the mapping of the 
individual public key methods (X509 public key, PGP public key and so 
on). These are called out separately as distinct authentication methods. 
However, it seems to me that the actual authentication mechanism is not 
specified in these cases. Instead, we are specifying how the key was 
verified. So, I have a couple of questions/comments for the group:

1) Is information regarding the actual verification of the key, rather 
than the actual authentication mechanism, important in describing the 
authentication event? If so, then we should model this in the 
authentication context, probably by adding an attribute to the 
authenticator to hold the "validation mechanism".
2) Unless I'm not understanding this correctly, it seems to me that the 
authenticator in all of the these public key cases is some kind of 
digital signature over some piece of content.

I'd appreciate thoughts on this matter as I aim to complete the 
authentication context/method changes this week.


- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]