security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [security-services] ENISA report on SAML Authentication Context and IDABC LOA
- From: <Colin.Wallis@ssc.govt.nz>
- To: <Giles.Hogben@enisa.europa.eu>
- Date: Fri, 19 Sep 2008 20:20:23 +1200
Thanks Giles
Like Tom, I didn't see references to some docs that I
think might have helped....
While Risk Assessment and Identity Proofing are not the
main focus of this report, it's undeniable that they are worthy/critical
pre-requisites:-). Taking a look at the USA's OMB M-04-04 might give
a bit more sharpness to these sections, as would our own Evidence of Identity
Standard (amongst others) on this site here (noting that these are mostly
Version 1.0's and are in the process of revision):
I also noticed references in the text to
'vendors', but accompanied more by assumption than explicit
reference. Maybe this a difference in the scale between the EU and
NZ. In NZ, we can't hope to create profiles of AAL/LOA that are
inconsistent with the intuitive direction of the vendor community because
we could not hope to afford to support it:-). But some of
the issues you raise can be partially or largely answered
by reviewing the commonly deployed products and seeing how
vendors have implemented the SAML 2.0 spec thus far.
It's
worth mentioning that the eGov SIG in Liberty has drafted an 'eGov SAML 2.0
profile' that stacks up the US eAuth, NZ and Danish government SAML 2.0 profiles
side by side, with more to follow - (maybe IDABC's sometime soon?). It's
still work-in-progress but might help you to place in broader context this solid
piece of work you've shared with us. Many thanks.
Cheers
Colin
--
Colin Wallis
Manager, Identity
Standards, Government Technology Services
State
Services Commission
New Zealand's State Services
Commission: Leading the state sector to world class performance
...........................................................................................................................................
Caution: If you have received this
message in error please notify the sender immediately and then delete this
message along with any attachments. Please treat the contents of this
message as private and confidential.
We have a draft Authentication Context profile which addresses many
of these issues. It is available here:
http://www.oasis-open.org/committees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdfI
concur with your conclusions regarding the complexity of expressing the detailed
LOA constraints. That's why we took the much simpler approach you find in the
document. You will note that there is a "generic" LOA profile, as well as
a 4-level LOA profile based on NIST 800-63.
From a practical perspective,
I think that this simplified approach is adequate. Processing AuthnContext
expressions in-band is too computationally expensive, and I know of no SAML
implementations that actually do this processing (though they might
exist). Everyone seems to express and process AuthnContext in terms of the
AuthnContextClass URIs.
I am awaiting some additonal comments and input
on this document in preparation for another revision. I'll take a closer look at
the document you submitted, and I'd welcome your suggestions as
well.
Thanks
ET
____________________________________________________Eric
Tiffany
| eric@projectliberty.org
Interop Tech
Lead | +1 413-458-3743Liberty
Alliance | +1
413-627-1778 mobile
On Wed, Sep 17, 2008 at 10:14 AM, Giles Hogben
<Giles.Hogben@enisa.europa.eu> wrote:
Dear
All,
I wonder if we could have some comments on the attached document from
the TC - and some advice on how to take the conclusions of the attached
document forward...:
In 2007, I attended an SSTC call to discuss some
possible updates/extensions to SAML (mostly Authentication Context). The next
step was to produce a gap analysis between a European Authentication Levels
model and SAML AC. Various hold-ups in the publication of the European model
and our own resources delayed this more than I would have liked, but we now
have a first version of a detailed gap analysis and some recommendations which
came out of it. I have seen that some work has been progressing on this matter
already with the NIST AAL's so I thought it would be a good time to send our
contribution.
I've attached a PDF of our first draft. The most
important points are in the conclusion and the details of our analysis of AC
vs IDABC model are in the gap analysis section.
I've put Kostas, the
co-author of this (who did most of the work) in
cc.
Regards,
Giles
Giles
Hogben
Network Security Policy Expert
European Network & Information
Security Agency (ENISA)
Tel: +30 2810 391892
Fax: +30 2810
39000
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]