RE: [security-services] RequestedAuthnContext

["Conor P. Cahill" <ConCahill@aol.com>]

Title: Message

While I think that they typical cases that use this functionality will have a single authn context, I guess there can be some real cases where multiples make sense..

1. auth context of 2 and 3 with comparison "maximum", then either 1, 2, or 3 would satisfy this portion of the request  (the s strongest of these should always be returned). I.e., if t he user at the authority authenticated with only 1, that would be fine to satisfy this request. As a note, only 4 would not be allowed.

that's correct in a pure hierarchical set.  However authentication contexts are not necessarily hierarchical and so it may be that 2 & 3 are equal, but in different planes of existence such that 2 is not satisfied by "maximum 3" and 3 is not satisfied by "maximum 2", hence if the invoker wanted to allow either they would specify both.

 

If the contexts are hierarchical, it would be unnecessarily redundant to specify both 2 and 3 as just specifying 3 would get you all the possibilities.

2. for "better", does the phrase "stronger than any one" mean "stronger than all" or "stronger than one"? As an example, consider auth context of 2 and 3 with comparison "better", the former interpretation suggests that only 4 would satisfy the request (as 4 is stronger than both 2 and 3). My latter interpretation would suggest that 3 or 4 would satisfy it (as 3 is strong than 2). 

Again, in the hierarchical world "better" means better than the "lowest" of the specified contexts, so if you said "better than 2 or 3" it is the same as saying "better than 2".

 

However, in the non-hierarchical workd, there may again be cases to list multiple contexts.

 

Conor