[Concordia] meeting notes finally online - Definition of Claims
Mike Jones
Michael.Jones at microsoft.com
Sun Dec 16 15:10:13 EST 2007
:-)
-----Original Message-----
From: Paul Madsen [mailto:paulmadsen at rogers.com]
Sent: Sunday, December 16, 2007 4:02 AM
To: Mike Jones
Cc: community at projectconcordia.org
Subject: Re: [Concordia] meeting notes finally online - Definition of Claims
Mike, agree
I saw the 'assertion' in Kim's sentence and interpreted it as referring
to one of the point-bracket versions ...
paul
p.s. Doubt is the flip-side of assurance. Liberty contemplated creating
the "Liberty Doubt Framework". Early consumer tests indicated that
people thought it was a self-help book so the name was changed.
Mike Jones wrote:
> :-)
>
> What Kim means by an "assertion that is in doubt" is that trust isn't absolute. It's always up to the relying party to decide what actions to take based on the claims made in the token delivered by the identity provider and who the identity provider is.
>
> For instance, an "over 21" claim made by the Washington Department of Motor Vehicle Licensing might be accepted by Kendall Jackson to authorize online purchase of Chardonnay whereas an "over 21" claim that I make about myself, or that another party not trusted by Kendall Jackson makes might not be accepted to authorize the same actions.
>
> Doubt is in the eye of the beholder.
>
> -- Mike
>
> -----Original Message-----
> From: community-bounces at projectconcordia.org [mailto:community-bounces at projectconcordia.org] On Behalf Of Paul Madsen
> Sent: Saturday, December 15, 2007 6:22 AM
> To: community at projectconcordia.org
> Subject: Re: [Concordia] meeting notes finally online - Definition of Claims
>
> there appears to have been a mailing list mix-up that has resulted in ID
> Gang messages being sent to Concordia ....
>
> All I meant with my original statement was that claims and assertions,
> ignoring the specifics of how different standards define nesting (e.g. a
> SAML attribute statement maps into a claim, etc), are logically the same
> - an IDPs attestation (there, another term for us to debate) as to the
> value of some set of identity attributes for a user.
>
> paul
>
> p.s. I don't buy Kim's below defn of claim as some sort of
> 'questionable' assertion, the implication seems to be that the IDP is
> covering its butt against ramifications. Would the IDP indicate its
> degree of doubt ?
>
>
> Charles Andres wrote:
>
>> From Kim Cameron's definition of 'claims' (DIDW keynote Sept 2007), I
>> think we can conclude that
>> SAML assertions are one type of claim. An industry-wide tautology will
>> help us discuss such details.
>> Claims != SAML assertion; SAML assertion is a member of the set of claims.
>>
>>
>> * Claims
>> - The information through which loosely coupled components can decide
>> whether and how to provide services
>> - Different sources of claims for different purposes
>> - An assertion which is in doubt
>>
>> * Claims describe entities:
>> -Principals
>> * requestors of access, e.g. humans, devices, applications
>> *composite principal = human + device + application
>> -Resources
>> * targets of access request, e.g. services, data
>> -Actions
>> * operations on resources
>> -Context
>> * runtime environment of the access session
>>
>> * Actionable claims
>> - Claims a component is willing to act upon after evaluation
>>
>>
>> On 12/14/07 5:20 PM, "Hubert Le Van Gong" <Hubert.Levangong at Sun.COM>
>> wrote:
>>
>> I'm not sure you can always equate claims with (SAML) assertions.
>> Assertions can range from "pure" authentication assertion where
>> all that is
>> conveyed is a statement about the principal's authN status & context.
>> Other assertions can also include attribute(s) which is where I see an
>> equivalence to claims. I'm sure someone will say that a claim can
>> also just convey
>> authN status but it seems (to me at least) that a claim is often
>> about more than that.
>>
>> Hubert
>>
>> On Dec 14, 2007, at 1:28 PM, Paul Madsen wrote:
>>
>> Given the ECP context of this sentence in the minutes, I think
>> Mike has
>> half the jist
>>
>> It's about using a SAML ECP for IDP selection, in order to
>> enable SSO
>> based on a pseudonym for the user, but with no additional
>> (claimed)
>> attributes flowing along with the identifier.
>>
>> I expect that the confusion arose because, to me at least,
>> (and perhaps
>> other SAMLilites), a 'claim' is synonomous with an
>> 'assertion', so it
>> read strange to see the equivalent of 'no list of assertions'
>>
>> paul
>>
>> Beach, Michael C wrote:
>>
>> Maybe I am not following, but we have many cases,
>> particularly in the
>> defense space where an SP/RP will want only subject
>> identifier and
>> authentication attributes/level/context. The SP/RP has an
>> internal
>> account that is associated with the subject identifier, all
>> authorization logic and authorization data is internal to
>> the SP/RP. The
>> SP/RP only wants to know who are you and what level (or
>> context, or ???)
>> authentication did you use.
>>
>> Mike Beach, CISSP
>> Chief Security Designer
>> Information Security
>> The Boeing Company
>> michael.c.beach at boeing.com
>>
>> -----Original Message-----
>> From: Eve Maler [mailto:Eve.Maler at Sun.COM]
>> <mailto:Eve.Maler at Sun.COM%5D>
>> Sent: Friday, December 14, 2007 12:30 PM
>> To: Brett McDowell
>> Cc: community at projectconcordia.org
>> Subject: Re: [Concordia] meeting notes finally online
>>
>> Searching on those notes, I found this:
>>
>> "Mike J. captured this new scenario as "IdP Selection,
>> Auth Attributes
>> but not list of claims"."
>>
>> That's what I was remembering, but now I want to review in
>> light of the
>> great discussion from yesterday. Britta has sent me her
>> notes and I
>> hope to post them this afternoon or over the weekend.
>>
>> Eve
>>
>> On Dec 14, 2007, at 12:23 PM, Brett McDowell wrote:
>>
>>
>> Eve, which scenario was that from?
>>
>> On Dec 13, 2007, at 11:58 AM, Eve Maler wrote:
>>
>>
>> Related to this, I had a question about the notes
>> from the last
>> workshop (which I've only read very quickly so
>> far) -- there was
>> something about "authentication attributes without
>> claims" as a
>> scenario, which I can't make heads/tails of...
>>
>> Eve
>>
>>
>>
>> Eve Maler +1 425 947 4522
>> Principal Engineer eve.maler @ sun.com
>> CTO Business Alliances group Sun Microsystems, Inc.
>>
>> _______________________________________________
>> Community mailing list
>> Community at projectconcordia.org
>> http://lists.projectconcordia.org/mailman/listinfo/community
>>
>> Participating in this discussion list does not grant any
>> intellectual
>> property rights or any commitment by the participants of
>> the content
>> discussed to any organization.
>> _______________________________________________
>> Community mailing list
>> Community at projectconcordia.org
>> http://lists.projectconcordia.org/mailman/listinfo/community
>>
>> Participating in this discussion list does not grant any
>> intellectual property rights or any commitment by the
>> participants of the content discussed to any organization.
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.503 / Virus Database: 269.17.2/1184 - Release Date: 14/12/2007 11:29 AM
>>
>>
>
> --
> Paul Madsen e:paulmadsen @ ntt-at.com
> NTT p:613-482-0432
> m:613-282-8647
> aim:PaulMdsn5
> web:connectid.blogspot.com
>
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community
>
> Participating in this discussion list does not grant any intellectual property rights or any commitment by the participants of the content discussed to any organization.
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-282-8647
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the Community
mailing list