OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Comments on Straw Man Draft 2: Authentication Protocol non-goals

We will add an area in the Security Services group of the issue list to ask
this question specifically - are we specifying a authN service as part of
our work.

> -----Original Message-----
> From: Irving Reid [mailto:Irving.Reid@baltimore.com]
> Sent: Monday, February 19, 2001 2:43 PM
> To: 'security-use@lists.oasis-open.org'
> Subject: Comments on Straw Man Draft 2: Authentication Protocol
> non-goals
> I'll split my comments into a series of messages, one for each issue...
> In the Requirements / Non-Goals section, the non-goal "Challenge-response
> authentication protocols are outside the scope of OSSML." is
> included. This
> non-goal originally came from the S2ML spec.
> S2ML included a very basic authentication service, where users
> (or servers,
> on behalf of users) could present credentials to the S2ML service and
> receive a name assertion in return. The two forms of credential supported
> were username/password, or X509 certificate.
> Speaking for Baltimore, we feel that providing such a limited
> authentication
> service would not be useful. This leaves two alternatives:
> 1. Do not specify an authentication service within [OSSML]
> 2. Specify a more general authn service.
> The first alternative reduces the size of the [OSSML] effort, but it might
> leave us without enough meat to be useful. What we end up with is
> that name
> assertions appear as if by magic through some out-of-band mechanism, and
> then the [OSSML] service allows you to pass them around and
> possibly obtain
> further related assertions.
> The second alternative provides a more complete spec, but opens the usual
> large can of worms. Without proposing a specific solution, we need to keep
> in mind that many people have defined authentication services in the past,
> and we'd be much better off to choose one and dress it up in XML
> rather than
> to start over from scratch. SASL, RADIUS/DIAMETER, etc. could be
> reasonable
> starting places.
> Irving Reid <irving.reid@baltimore.com>
> Principal Technical Architect, SelectAccess
> Baltimore Technologies
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: security-use-request@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC