OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Comments on Straw Man Draft 2: Authentication Protocol non-goals

I'll split my comments into a series of messages, one for each issue...

In the Requirements / Non-Goals section, the non-goal "Challenge-response
authentication protocols are outside the scope of OSSML." is included. This
non-goal originally came from the S2ML spec.

S2ML included a very basic authentication service, where users (or servers,
on behalf of users) could present credentials to the S2ML service and
receive a name assertion in return. The two forms of credential supported
were username/password, or X509 certificate.

Speaking for Baltimore, we feel that providing such a limited authentication
service would not be useful. This leaves two alternatives:

1. Do not specify an authentication service within [OSSML]
2. Specify a more general authn service.

The first alternative reduces the size of the [OSSML] effort, but it might
leave us without enough meat to be useful. What we end up with is that name
assertions appear as if by magic through some out-of-band mechanism, and
then the [OSSML] service allows you to pass them around and possibly obtain
further related assertions.

The second alternative provides a more complete spec, but opens the usual
large can of worms. Without proposing a specific solution, we need to keep
in mind that many people have defined authentication services in the past,
and we'd be much better off to choose one and dress it up in XML rather than
to start over from scratch. SASL, RADIUS/DIAMETER, etc. could be reasonable
starting places.

Irving Reid <irving.reid@baltimore.com>
Principal Technical Architect, SelectAccess
Baltimore Technologies

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC