OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] AuthnContext comparison clarifications

> Scott, in terms of ordering, I was thinking of the AuthnQuery 
> use case and not Web SSO. 

I had forgotten we added the requested context element there until you asked
about it.

> So if the query responder is returning *all* authn contexts 
> it has for the user, I'm still  thinking the actual order of 
> the requested authn context classes is irrelevant. I see how 
> for a Web SSO case, it would be relevant because it could 
> influence how the IDP may authenticate a user.

You're probably correct. That means we need new text anyway, because the
ordering stuff is all sitting in the element definition, not the
AuthnRequest definition.

> I would agree that if only one is being returned (which 
> satisfies the filter), then ordering would definitely matter. 
> And perhaps that is the exact reason for saying the requested 
> authn contexts need to be processed in order?

Yes, exactly. Since it doesn't really hurt anything in the query case, maybe
we could just say something like:

"If ordering is relevant to the evaluation of the request, then the elements
are processed in the order they appear in the message. For example, ordering
is significant when using this element in an <AuthnRequest>, but not in an

Or alternatively just override the ordering aspect in the AuthnQuery

I'm just trying to avoid moving all the text.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]