OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Potential error in AuthContext spec?

Given that the core of the SSTC's specification suite provides an interoperable remote authentication method on a technical level, I would argue that the specification of specific policies that ride on top of SAML-based transactions should be outside the scope of a technical protocol. Many working groups try and struggle to define such policies at ISO, ITU-T, OASIS, NIST, ETSI etc., so it seems a good approach to me to point to these such a policy using a AuthnContextClassRef instead.

- Rainer Hörbe

Am 14.06.2013 um 23:39 schrieb "Philpott, Robert" <robert.philpott@rsa.com>:

Oops – meant to send this to the main SSTC list
I realize that very few folks actually create any instance documents for AuthenticationContextClasses (i.e. everyone just refers to existing AC class URI’s, right?), but we’re looking at defining some additional classes and in the process of doing that, we ran across this issue.
From: Philpott, Robert [mailto:robert.philpott@rsa.com] 
Sent: Wednesday, June 12, 2013 1:46 PM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Potential error in AuthContext spec?
WOW… it’s been a long time since I felt comfortable down in the bowels of the AuthnContext spec (oh wait… I never felt comfortable there J).
We have a use case where someone is attempting to create aninstance document  for the class TimeSynchToken and it appears there is an error in the spec.
The TimeSyncToken schema defines the AuthnMethodBaseType to be a restriction of AuthnMethodBaseType where PrincipalAuthenticationMethod is optional and Authenticator is required.
However, the Token element is in the PrincipalAuthenticationMechanismType, not in the AuthenticatorSequenceGroup and thus it can’t be part of the Authenticator element.
So we’re stumped as to how to create a TimeSyncToken authenticator.
Are we missing something?
Rob Philpott | Senior Technologist | RSA, the Security Division of EMC
eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]