OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Proposed erratum resolutions

> The Liberty use case that resulted in AllowCreate was the desire to 
> "passively" probe for an authenticated user without the chance of 
> either (a) the user being prompted for authentication by the IDP or (b) 
> the user being prompted for federation consent if they were not already 
> federated. So, I believe your first suggestion is the one that was 
> intended.

If that was the only issue, the SP could just use IsPassive (which was my
reasoning for leaving the flag out originally).

There's a distinction being created here that involves "federation as verb",
something I wasn't in favor of the spec encompassing, but as it has, the
question is whether creating a transient identifier qualifies. I think it
doesn't, unless there's a persistent attribute sent along with it, but
AllowCreate (and its Liberty ancestors) pertains to the NameID only.

The ability to use attributes like that is one reason I don't think
AllowCreate=false is all that useful. As it stands now, it doesn't preclude
the IdP from peristently identifying the principal to the SP. It's an IdP
issue and I wish it had have stayed one or been addressed through higher
level profiles involving the Consent attribute.

> > PE6: Encrypted NameID
> 
> It might make more sense to say that the IDP should be in charge of 
> deciding whether to encrypt the ID or not and have the SP always 
> request the particular kind of ID it wants. In other words, disallow 
> use of "encrypted" in request name id format.

Well, my reasoning for this wording is that it's a clarifying rather than a
spec change (as this would be), and I think it's overly limiting to force
the use of encryption to be established out of band when there's already
metadata that can communicate the plaintext options out of band. Note that
"encrypted" is not a real format, and would not show up in metadata in the
NameIDFormat element. Perhaps also something we could clarify, but that's
why I was careful not to put it in section 8.3.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]