[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Comments on Straw Man Draft 2: Authentication Protocol non-goals
I'll split my comments into a series of messages, one for each issue... In the Requirements / Non-Goals section, the non-goal "Challenge-response authentication protocols are outside the scope of OSSML." is included. This non-goal originally came from the S2ML spec. S2ML included a very basic authentication service, where users (or servers, on behalf of users) could present credentials to the S2ML service and receive a name assertion in return. The two forms of credential supported were username/password, or X509 certificate. Speaking for Baltimore, we feel that providing such a limited authentication service would not be useful. This leaves two alternatives: 1. Do not specify an authentication service within [OSSML] 2. Specify a more general authn service. The first alternative reduces the size of the [OSSML] effort, but it might leave us without enough meat to be useful. What we end up with is that name assertions appear as if by magic through some out-of-band mechanism, and then the [OSSML] service allows you to pass them around and possibly obtain further related assertions. The second alternative provides a more complete spec, but opens the usual large can of worms. Without proposing a specific solution, we need to keep in mind that many people have defined authentication services in the past, and we'd be much better off to choose one and dress it up in XML rather than to start over from scratch. SASL, RADIUS/DIAMETER, etc. could be reasonable starting places. Irving Reid <irving.reid@baltimore.com> Principal Technical Architect, SelectAccess Baltimore Technologies
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC