OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: AuthN and Credentials

>>>>> "MP" == Mishra, Prateek <pmishra@netegrity.com> writes:

    Me> Our high-level goal here is not to burden SAML with the actual

    MP> Agreed. This was the main point of
    MP> ISSUE:[UC-5-03:AuthNThrough]; no expression of authentication
    MP> within SAML

Agreed, and it seems that the overwhelming majority of people in the
subcommittee agree (10-1!). Unfortunately, some people felt that the
wording of the non-goal was unclear or incorrect (at least that's my
guess as to why they voted against the particular non-goal). I think
that we need to find a better formulation that the dissenters could
agree to. Any dissenters have a suggestion?

My guess is that the quibble is about "authentication." If one is
being strictly formal, I think that accepting (say) an S2ML name
assertion as proof of identity is also a form of "authentication." Is
there a clear way we can state the difference?

    MP> However, we are concerned with characterizing the "result" or
    MP> OUTPUT of an authentication step. This is the so-called
    MP> credential notion.

Agreed again. Gotta stop myself from nit picking here, but my
understanding is that credentials can be -any- data presented to
establish identity (thanks, Jeff! B-). Is there a way that we can
differentiate the "right" kind of credential that you and I both know
we mean from the "wrong" one?

    Me> "I am Evan Prodromou, because the outlook.net security system
    Me> says that the holder of this token is Evan Prodromou, and here
    Me> is the token: [token]."

    MP> Actually, this statement is incredibly complex and probably
    MP> needs to be approached in steps. [...] But my interest here
    MP> is in [token] which must be transparent and carry some form of
    MP> credential.

Yes! I completely agree that this is a very hairy item! But I believe
that the "[token]" is more or less the "right" kind of credential that
you enumerated in your message.

    MP> I think my concern is that the way [R-AuthN] and [R-AuthZ] are
    MP> written there is no suggestion that we need to capture any
    MP> standard credential forms. [...] This is also the background
    MP> to [CR-5-01-1: StandardCreds].

I voted for this one. B-) For my edification, what is the
difference between standard credentials and "descriptions of
authentication events"? Avoiding the problem of defining "the holder
of this token," I see the point of descriptions of authn events to be
something along the lines of:

        "The holder of this token is Evan Prodromou. At 10:00:00.000AM 
         on 28 Feb 2001, I used biometric toe-smell measurements to
         make sure. Signed, the outlook.net security service."

...and I'm not sure I see what the "credential" is, if not the full
statement (kind of like a letter of introduction).

Or (I'm getting an "aha" feeling) is the name "Evan Prodromou" the
standard credential (I'd call it an identity)? Which could be, say, a
DN or some other kind of identity?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC