OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ENISA report on SAML Authentication Context and IDABC LOA

Thanks Giles
Like Tom, I didn't see references to some docs that I think might have helped....
While Risk Assessment and Identity Proofing are not the main focus of this report, it's undeniable that they are worthy/critical pre-requisites:-).  Taking a look at the USA's OMB M-04-04 might give a bit more sharpness to these sections, as would our own Evidence of Identity Standard (amongst others) on this site here (noting that these are mostly Version 1.0's and are in the process of revision):
I also noticed references in the text to 'vendors', but accompanied more by assumption than explicit reference. Maybe this a difference in the scale between the EU and NZ.  In NZ, we can't hope to create profiles of AAL/LOA that are inconsistent with the intuitive direction of the vendor community because we could not hope to afford to support it:-).  But some of the issues you raise can be partially or largely answered by reviewing the commonly deployed products and seeing how vendors have implemented the SAML 2.0 spec thus far. 
It's worth mentioning that the eGov SIG in Liberty has drafted an 'eGov SAML 2.0 profile' that stacks up the US eAuth, NZ and Danish government SAML 2.0 profiles side by side, with more to follow - (maybe IDABC's sometime soon?). It's still work-in-progress but might help you to place in broader context this solid piece of work you've shared with us.  Many thanks.

Colin Wallis
Manager, Identity Standards, Government Technology Services
State Services Commission
New Zealand Government
DDI: +64 4 495 6758
Mob: 027 244 7135
Fax: +64 4 495 6669
www.ssc.govt.nz | www.e.govt.nz | newzealand.govt.nz

New Zealand's State Services Commission: Leading the state sector to world class performance
Caution: If you have received this message in error please notify the sender immediately and then delete this message along with any attachments.  Please treat the contents of this message as private and confidential.


From: eric.tiffany@gmail.com [mailto:eric.tiffany@gmail.com] On Behalf Of Eric Tiffany
Sent: Thursday, 18 September 2008 2:47 a.m.
To: Giles Hogben
Cc: security-services@lists.oasis-open.org; Konstantinos Moulinos
Subject: Re: [security-services] ENISA report on SAML Authentication Context and IDABC LOA

We have a draft Authentication Context profile which addresses many of these issues.  It is available here:


I concur with your conclusions regarding the complexity of expressing the detailed LOA constraints. That's why we took the much simpler approach you find in the document.  You will note that there is a "generic" LOA profile, as well as a 4-level LOA profile based on NIST 800-63.

From a practical perspective, I think that this simplified approach is adequate.  Processing AuthnContext expressions in-band is too computationally expensive, and I know of no SAML implementations that actually do this processing (though they might exist).  Everyone seems to express and process AuthnContext in terms of the AuthnContextClass URIs.

I am awaiting some additonal comments and input on this document in preparation for another revision. I'll take a closer look at the document you submitted, and I'd welcome your suggestions as well.


Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile

On Wed, Sep 17, 2008 at 10:14 AM, Giles Hogben <Giles.Hogben@enisa.europa.eu> wrote:
Dear All,
I wonder if we could have some comments on the attached document from the TC  - and some advice on how to take the conclusions of the attached document forward...:

In 2007, I attended an SSTC call to discuss some possible updates/extensions to SAML (mostly Authentication Context). The next step was to produce a gap analysis between a European Authentication Levels model and SAML AC. Various hold-ups in the publication of the European model and our own resources delayed this more than I would have liked, but we now have a first version of a detailed gap analysis and some recommendations which came out of it. I have seen that some work has been progressing on this matter already with the NIST AAL's so I thought it would be a good time to send our contribution.

I've attached a PDF of our first draft. The most important points are in the conclusion and the details of our analysis of AC vs IDABC model are in the gap analysis section.

I've put Kostas, the co-author of this (who did most of the work) in cc.



Giles Hogben
Network Security Policy Expert
European Network & Information Security Agency (ENISA)
Tel: +30 2810 391892
Fax: +30 2810 39000

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]