OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Re: Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)

On 12/9/14, 10:07 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote:

>I agree, but there are several challenges:
>* They need to communicate the requested attributes at runtime. For 
>several reasons, AttributeConsumingServiceIndex is insufficient (there 
>may be more than
>65535 different combinations of requested attributes). 

That only holds if you signal some attributes as required vs. just 
handling the error at the SP, but that's fine. It's a trivial extension. 
And yet in ten years nobody who actually has the problem is willing to 
work on specifying it? That's hard to take seriously, for me.

>* They need to communicate about the (authenticated) subject with more 
>than one attribute.

And so there are multiple Attributes in any statement. I don't see the 
problem there.

>* They need specific user consent for every released attributes.

That's out of scope of SAML, but there are plenty of implementations that 
do that. Even Shibboleth's about to.

>Another option would bean authnrequest with a set of requested attributes 
>in the extension.

The other option is to invent a query profile that adds back in all of the 
security content, subject confirmation rules, etc. from the SSO profile. I 
think that's a lot more work.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]