[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: ISSUE:[UC-5-01:AuthCProtocol] reworked
Straw Man 1 explicitly makes challenge-response authentication a non-goal. Is specifying which types of authc are allowed and what protocols they can use necessary for this document? If so, what types and which protocols? As written, this issue covers a lot of ground. Issue:[UC-5-03:AuthCthrough] covers the related issue of the removal of considerations of modeling authentication methods within [OSSML], which need not be discussed further in 5-01. There is an aspect of these requirements that is missing from this discussion. There is a need for describing different forms of credentials (name-password, public key, X509 certificates etc) within OSSML. In this sense there is a connection to the different "permitted forms of authc" [2] within OSSML. I suggest the following sub-parts for voting: (1) The Non-Goal "Challenge-response authentication protocols are outside the scope of the [OSSML]" be removed from the Strawman 3 document. (2) The following requirements be added: [R-StandardCreds] [OSSML] should provide a data format for credentials including those based on name-password, X509v3 certificates, public keys, X509 Distinguished name, and empty credentials. [R-ExtensibleCreds] [OSSML] The credentials data format must support extensibility in a structured fashion. I believe this is consistent or can be derived from Nigel's suggestion [1] but is perhaps closer to the current style of specification in Strawman 2. It also reflects the discussion in [2] and [3]. [1] http://lists.oasis-open.org/archives/security-use/200102/msg00029.html [2] http://lists.oasis-open.org/archives/security-use/200102/msg00038.html [3] http://lists.oasis-open.org/archives/security-use/200102/msg00064.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC