OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Question on SAML V2.0 Identity AssuranceProfiles ,Version 1.0

On 7/15/11 3:22 PM, "David Chadwick" <d.w.chadwick@kent.ac.uk> wrote:

>I suggest you need to update your CS spec if you want to explicitly rule
>this out because your current text does not. In fact it appears to be
>general enough to allow for any assurance criteria which users wish to
>specify (which I would have thought is a good thing).

It does allow for any criteria, but in the form of one identifier, because
what you're asking to do was already possible with the original
AuthnContext feature. People didn't want it.

> Additionally
>a) your schema allows multiple value and

What schema?

>b) your text implies it by stating " Multiple
>values MAY be present."

It is regrettably misleading, but it meant that multiple AttributeValue
elements are possible, but each one is itself one URI.

>Furthermore, whilst an AuthenticationContext might be singular wrt a
>uri, its semantics can be anything. So all this means is that we need to
>define a set of n*m URIs rather than n+m URIs. Inconvenient but not a
>show stopper.

That is correct, and precisely the point. Pressures will come to bear on
anybody trying to complicate things by going back to the sort of
combinatorics that were already possible in the original AuthnContext
work. That didn't fly with people.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]