OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Use Case & Requirements Doc Strawman 1 Issues List


> >ISSUE[UC-1-04:ARundgrenPush] Anders Rundgren has proposed on
> >security-use an alternative to use case scenario 2 (single sign-on,
> >push model). The particular variation is that the source Web site
> >requests an authorization profile for a resource (e.g., the
> >credentials necessary to access the resource) before requesting
> >access. Should this scenario replace the existing use case scenario 2?
> >Should it be made an additional scenario?
> I would argue that what Anders is referring to is a security
> service called "security discovery": given a resource protected
> by a security engine we wish to query the security engine
> about the security properties of the resource.
> This is an important topic but completely distinct from the 
> [Web Browser Use-Case]. I would strongly recommend that we
> keep the two topics separated.

It is possibly a part of a more advanced Web Browser Use-Case like
in Shibboleth as this "security discovery" gives a new set of possibilties (and problems).

So then I propose: "Basic Web Browser Use-Case" and "Advanced Web Browser Use-Case",
where the latter is effectively involving the RP performing a challenge-response authentication on the AP,
after first giving AP its identity and cred-requirements.  This is BTW the  use case that I'm interested in as
the advanced use case is a true super-set of the basic use case, which IMO makes the basic use case
a dead end.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC