OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [security-services] Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)

On 12/9/14, 10:07 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote:

> I agree, but there are several challenges:
> * They need to communicate the requested attributes at runtime. For 
> several reasons, AttributeConsumingServiceIndex is insufficient (there 
> may be more than
> 65535 different combinations of requested attributes). 

The requirement for dynamic attributes had been claimed in the past e.g. [1][2][3], but I have not seen anybody to name a specific example where it actually would make sense. As you require a large number of permutations, I would be interested what the concrete business case is.

Data minimization has been given as a reason in the past, but that should be challenged. Optional attributes are against strict data minimization - the minimal data set is specified by mandatory attributes. 

Another reason might be the limitation of products to map different applications to multiple SPs, resulting in a lengthy list of ACS in a single SP spanning all applications of a site.

[1] TAS3: http://www.zxid.org/tas3/anrq-index.html (Sampo proposing an AttrQuery embedded in an AuthnRequest)
[2] STORK's SAML profile (D5.8.3b Interface Specification) includes a < stork:RequestedAttribute> in <saml2p:Extensions>. On inquiring on the use case for it it turned out that this was included only to be on the safe side, not for a concrete requirement.
[3] https://spaces.internet2.edu/display/InCCollaborate/SP+Attribute+Requirements lists the AuthnRequest extension as an alternative to metadata.

- Rainer

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]