OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] AuthnContext comparison clarifications


Title: RE: [security-services] AuthnContext comparison clarifications

Scott, I think adding your comments as a replacement to the sentence on line 1816-1817 would be sufficient.

I would propose replacing

"The set of supplied elements MUST be evaluated as an ordered set, where the first element is the most preferred authentication context class or declaration."

with

"If ordering is relevant to the evaluation of the request, then the set of supplied elements MUST be evaluated as an ordered set, where the first element is the most preferred authentication context class or declaration. For example, ordering

is significant when using this element in an <AuthnRequest>, but not in an
<AuthnQuery>."

Tom.


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Tuesday, February 21, 2006 1:06 PM
> To: 'Thomas Wisniewski'; security-services@lists.oasis-open.org
> Subject: RE: [security-services] AuthnContext comparison
> clarifications
>
>
> > Scott, in terms of ordering, I was thinking of the AuthnQuery
> > use case and not Web SSO.
>
> I had forgotten we added the requested context element there
> until you asked
> about it.
>
> > So if the query responder is returning *all* authn contexts
> > it has for the user, I'm still  thinking the actual order of
> > the requested authn context classes is irrelevant. I see how
> > for a Web SSO case, it would be relevant because it could
> > influence how the IDP may authenticate a user.
>
> You're probably correct. That means we need new text anyway,
> because the
> ordering stuff is all sitting in the element definition, not the
> AuthnRequest definition.
>
> > I would agree that if only one is being returned (which
> > satisfies the filter), then ordering would definitely matter.
> > And perhaps that is the exact reason for saying the requested
> > authn contexts need to be processed in order?
>
> Yes, exactly. Since it doesn't really hurt anything in the
> query case, maybe
> we could just say something like:
>
> "If ordering is relevant to the evaluation of the request,
> then the elements
> are processed in the order they appear in the message. For
> example, ordering
> is significant when using this element in an <AuthnRequest>,
> but not in an
> <AuthnQuery>."
>
> Or alternatively just override the ordering aspect in the AuthnQuery
> section.
>
> I'm just trying to avoid moving all the text.
>
> -- Scott
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]