[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [security-services] Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)
On 12/9/14, 10:07 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote: > I agree, but there are several challenges: > > * They need to communicate the requested attributes at runtime. For > several reasons, AttributeConsumingServiceIndex is insufficient (there > may be more than > 65535 different combinations of requested attributes). The requirement for dynamic attributes had been claimed in the past e.g. [1][2][3], but I have not seen anybody to name a specific example where it actually would make sense. As you require a large number of permutations, I would be interested what the concrete business case is. Data minimization has been given as a reason in the past, but that should be challenged. Optional attributes are against strict data minimization - the minimal data set is specified by mandatory attributes. Another reason might be the limitation of products to map different applications to multiple SPs, resulting in a lengthy list of ACS in a single SP spanning all applications of a site. [1] TAS3: http://www.zxid.org/tas3/anrq-index.html (Sampo proposing an AttrQuery embedded in an AuthnRequest) [2] STORK's SAML profile (D5.8.3b Interface Specification) includes a < stork:RequestedAttribute> in <saml2p:Extensions>. On inquiring on the use case for it it turned out that this was included only to be on the safe side, not for a concrete requirement. [3] https://spaces.internet2.edu/display/InCCollaborate/SP+Attribute+Requirements lists the AuthnRequest extension as an alternative to metadata. - Rainer
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]