Subject: RE: [security-services] AuthnContext comparison clarifications
Scott, in terms of ordering, I was thinking of the AuthnQuery use case and not Web SSO.
So if the query responder is returning *all* authn contexts it has for the user, I'm still thinking the actual order of the requested authn context classes is irrelevant. I see how for a Web SSO case, it would be relevant because it could influence how the IDP may authenticate a user.
But in the AuthnQuery case, is the responder knows the user has 3 distinct authn contexts, say A, B, and C.
Then what's the difference if the requested authn contexts (say A, C, and D in this example) were in the following order:
- A, C, D
- C, A, D
- D, A, C
Ultimately you will either get a match or not (whether exact, minimum, better, or maximum). And if you get a match, and you return *all* authn contexts for the user, you will return: A, B, and C.
I would agree that if only one is being returned (which satisfies the filter), then ordering would definitely matter. And perhaps that is the exact reason for saying the requested authn contexts need to be processed in order?
> -----Original Message-----
> From: Scott Cantor [mailto:firstname.lastname@example.org]
> Sent: Tuesday, February 21, 2006 12:31 PM
> To: 'Thomas Wisniewski'; email@example.com
> Subject: RE: [security-services] AuthnContext comparison
> > Scott, given that the definition of "better" is that the
> > resulting authn context just needs to be better than one of
> > the supplied requested authn contexts, can we change the
> > wording in line 1826 from "than any one" to "than one"? This
> > will align the wording used for maximum and minimum.
> That's fine.
> > Would you agree that if the entire set of authn performed on
> > the authority side is being returned (with at least one of
> > them matching the filter of course), then the statement about
> > "references MUST be evaluated as on ordered set" as it
> > applies to the comparison operations is irrelevant?
> I don't think so. The point of ordering is that the multiple input
> references don't necessarily (and in fact probably should
> NOT) really be
> comparable to each other directly. So you have to evaluate
> them in order in
> all cases, and evaluate the comparison to what your IdP
> options are one by
> one until you succeed and then you can quit. This absolutely
> applies to the
> comparison options, not just to equality, and order does matter.
> > Fyi... In your proposed text, change "to distinct" to "two
> No, I meant "to", as in what the references are referencing.
> > > "Note that while the references are evaluated in order,
> they do not
> > > necessarily (or even typically) constitute an ordered set
> relative to
> > > each other for comparison purposes. References can be to distinct
> > > classes that do not relate to each other directly in terms of
> > > "strength".
> There can be any number of input references and they can (and will) be
> referencing distinct classes that do not relate to each other.
> -- Scott