OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Comments on SAML 2.0 Core draft-19...

I agree with Conor and Scott here.  From a security perspective, it seems
quite odd to declare that the default (and hence, likely, most common)
behavior on a request to authenticate a principal should preclude any
interaction with that principal in order to perform an authentication. 

--jl

-----Original Message-----
From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: Tuesday, August 10, 2004 10:08 AM
To: Nick Ragouzis
Cc: 'Scott Cantor'; 'SAML'
Subject: RE: [security-services] Comments on SAML 2.0 Core draft-19...




Nick Ragouzis wrote on 8/10/2004, 9:45 AM:

 > +0 (whatever experienced implementers think), ...
 >
 > ... but consider that verbosity (less-of) is not the only
 > criteria in a case such as this, where user interfaces
 > are concerned.

Actually, verbosity is a significant issue with the
AuthNRequest, but yes, it isn't the only issue.

 > Here the schema is also conveying a sense of the "default"
 > user interaction principles ... and those follow interaction
 > design practices that no unbeckoned presentations suddenly
 > appear [1].

I disagree.  The schema should represent typical usage and
not anything about UI principals.

 > I'd say that in the security context this user interface
 > aspect extends to all services cooperating in a consistent,
 > integral, presentation. Which imposes a default of: don't
 > interpose yourself (IdP/ECP) unless I specifically say you
 > may (and by which I am indicating that I have already given
 > the user the proper indications and am committing to follow
 > up 'your' interactions appropriately).

Again, I disagree.  Even from a security context, having the
default be that when the SP queries the IDP and the IdP can't
ask the user about it, you're potentially opening at least a
privacy hole.

The majority of the time, when an SP says to the IdP, Hey,
I need you to give me an authentication assertion, the SP
will want the IdP to interact with the user so that the
IdP can query the user for credentials, if necessary.

If the SP doesn't want the interaction, it should positively
indicate it as such because there are privacy considerations
involved in probing for access without interacting with a
user.

Conor




To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]