OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] ENISA report on SAML Authentication Context and IDABC LOA

We have a draft Authentication Context profile which addresses many of these issues.  It is available here:

http://www.oasis-open.org/committees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdf

I concur with your conclusions regarding the complexity of expressing the detailed LOA constraints. That's why we took the much simpler approach you find in the document.  You will note that there is a "generic" LOA profile, as well as a 4-level LOA profile based on NIST 800-63.

From a practical perspective, I think that this simplified approach is adequate.  Processing AuthnContext expressions in-band is too computationally expensive, and I know of no SAML implementations that actually do this processing (though they might exist).  Everyone seems to express and process AuthnContext in terms of the AuthnContextClass URIs.

I am awaiting some additonal comments and input on this document in preparation for another revision. I'll take a closer look at the document you submitted, and I'd welcome your suggestions as well.

Thanks

ET
____________________________________________________
Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile



On Wed, Sep 17, 2008 at 10:14 AM, Giles Hogben <Giles.Hogben@enisa.europa.eu> wrote:
Dear All,
I wonder if we could have some comments on the attached document from the TC  - and some advice on how to take the conclusions of the attached document forward...:

In 2007, I attended an SSTC call to discuss some possible updates/extensions to SAML (mostly Authentication Context). The next step was to produce a gap analysis between a European Authentication Levels model and SAML AC. Various hold-ups in the publication of the European model and our own resources delayed this more than I would have liked, but we now have a first version of a detailed gap analysis and some recommendations which came out of it. I have seen that some work has been progressing on this matter already with the NIST AAL's so I thought it would be a good time to send our contribution.

I've attached a PDF of our first draft. The most important points are in the conclusion and the details of our analysis of AC vs IDABC model are in the gap analysis section.

I've put Kostas, the co-author of this (who did most of the work) in cc.

Regards,

Giles

Giles Hogben
Network Security Policy Expert
European Network & Information Security Agency (ENISA)
Tel: +30 2810 391892
Fax: +30 2810 39000



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]