OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Issue of multiple authn statements during SSO

> [Rob] Are you saying we'd allow one or more statements in a bearer
> assertion, but not multiple bearer assertions with authn methods?  I
> guess that works.

Now that I understand your use case a bit better, I think I'm ok with it as
it stands, without any restrictions. You basically want the SP to be able to
collect up or ignore authentication statements as it sees fit. This idea
wasn't at all clear to me in the original profile, so maybe I'm the one who
was confused. Although when I read ID-FF, I get a strong sense that a single
statement is implied there also.

> [Rob] I would NOT want to constraint the assertion to only use one
> Reauthn timestamp or using the shortest.
> I think the reauthn timestamps should always apply to the method in the
> specific statement in which it is specified.  I would normally want a
> reauthn timestamp on a low grade method to be longer than a high-grade
> method.  The semantic is simply that if the SP relies on a specific
> method for graded authn checks, then the reauthn time associated with
> that method applies.  If you don't care about graded authn at the SP,
> then maybe the shortest should be used.  But that would not 
> work for the graded case.

I think we need some language added to the spec to discuss this notion and
how it would impact sessions. I guess you're saying that in efect, you're
establishing a session based on perhaps only one of the statements, and if
so, that's the Reauthenticate time you care about. I can buy that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]