[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: AuthN and Credentials
>>>>> "MP" == Mishra, Prateek <pmishra@netegrity.com> writes: Me> Our high-level goal here is not to burden SAML with the actual MP> Agreed. This was the main point of MP> ISSUE:[UC-5-03:AuthNThrough]; no expression of authentication MP> within SAML Agreed, and it seems that the overwhelming majority of people in the subcommittee agree (10-1!). Unfortunately, some people felt that the wording of the non-goal was unclear or incorrect (at least that's my guess as to why they voted against the particular non-goal). I think that we need to find a better formulation that the dissenters could agree to. Any dissenters have a suggestion? My guess is that the quibble is about "authentication." If one is being strictly formal, I think that accepting (say) an S2ML name assertion as proof of identity is also a form of "authentication." Is there a clear way we can state the difference? MP> However, we are concerned with characterizing the "result" or MP> OUTPUT of an authentication step. This is the so-called MP> credential notion. Agreed again. Gotta stop myself from nit picking here, but my understanding is that credentials can be -any- data presented to establish identity (thanks, Jeff! B-). Is there a way that we can differentiate the "right" kind of credential that you and I both know we mean from the "wrong" one? Me> "I am Evan Prodromou, because the outlook.net security system Me> says that the holder of this token is Evan Prodromou, and here Me> is the token: [token]." MP> Actually, this statement is incredibly complex and probably MP> needs to be approached in steps. [...] But my interest here MP> is in [token] which must be transparent and carry some form of MP> credential. Yes! I completely agree that this is a very hairy item! But I believe that the "[token]" is more or less the "right" kind of credential that you enumerated in your message. MP> I think my concern is that the way [R-AuthN] and [R-AuthZ] are MP> written there is no suggestion that we need to capture any MP> standard credential forms. [...] This is also the background MP> to [CR-5-01-1: StandardCreds]. I voted for this one. B-) For my edification, what is the difference between standard credentials and "descriptions of authentication events"? Avoiding the problem of defining "the holder of this token," I see the point of descriptions of authn events to be something along the lines of: "The holder of this token is Evan Prodromou. At 10:00:00.000AM on 28 Feb 2001, I used biometric toe-smell measurements to make sure. Signed, the outlook.net security service." ...and I'm not sure I see what the "credential" is, if not the full statement (kind of like a letter of introduction). Or (I'm getting an "aha" feeling) is the name "Evan Prodromou" the standard credential (I'd call it an identity)? Which could be, say, a DN or some other kind of identity? Thanks, ~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC