[Concordia] Notes from 1 Apr 2008 Concordia call

Eric Tiffany eric at projectliberty.org
Tue Apr 1 14:36:23 EDT 2008 

The attribute approach has one principal advantage: you can represent a more
complex set of authentication details, including multiple dimensions of
authentication and multiple values.

However, there are several problems with using attributes:

* The SP can¹t specify what it wants in the AuthnRequest
* There is no processing defined for such attributes, so in addition to
defining the attributes and values, we also have to define (new) processing
rules. 
* Existing implementations don¹t have the means to understand and process
these attributes, and probably can¹t be configured to do so.  These changes
require code modification.

The main advantages of the AuthnContext LOA approach are:

* Theoretically, conforming implementations should be able to interoperate
using the LOA URIs.  It should only require configuration.
* No new processing rules ‹ this is just a restriction of existing schema.
* SPs can state their needs in the RequestedAuthnContext

But perhaps this discussion should be taken to the TEG list where this
document was submitted ‹ it will end up in OASIS if it survives that
scrutiny.

ET

On 4/1/08 2:07 PM, "Brett McDowell" <brett at projectliberty.org> wrote:

> Your sense is accurate.
> 
> Brett McDowell | Liberty Alliance <http://www.projectliberty.org>  | vCard
> <http://www.ictprojects.com/Brett_McDowell_LAP.vcf>  | Calendar
> <http://www.google.com/calendar/hosted/ictprojects.com/embed?src=brett%40ictpr
> ojects.com&amp;ctz=America/New_York>
> <http://www.google.com/calendar/hosted/ictprojects.com/embed?src=brett%40ictpr
> ojects.com&amp;amp;ctz=America/New_York>
> 
> 
> On Tue, Apr 1, 2008 at 1:55 PM, Paul Madsen <paulmadsen at rogers.com> wrote:
>> picking up on Scott's comments below with respect to Authn Context vs
>> attributes for carrying assurance ..
>> 
>> Do people (e.g. GSA, DK, etc) currently use attributes because they see
>> them as a preferred mechanism, or because defining SAML authn context
>> class schemas has been prohibitive (and scary)?
>> 
>> It's been my sense that the above groups recognize that authn context is
>> preferred, and indicate a willingness to transition there ....
>> 
>> paul
>> 
>> Eve Maler wrote:
>>> > == Attendance ==
>>> >
>>> > Eve Maler (Sun), Damien Carru (Oracle), Ari Kermaier (Oracle), Eric
>>> > Tiffany (Liberty), Ashish Jain (Ping), Dervla O'Reilly (Liberty), Pat
>>> > Patterson (Sun), Vijay Simha (FuGen), Mike Jones (Microsoft), Caleb
>>> > Baker (Microsoft), Scott Cantor (Internet2), Brett McDowell (Liberty),
>>> > Sampo Kellomaki (SymLabs)
>>> >
>>> > == Workshop logistics ==
>>> >
>>> > Dervla reviewed the logistics she just sent out to the list.  We are
>>> > located in Red Room 302, Moscone Center North/South, Esplanade level.
>>> > We will have access beginning Sunday at 1pm.  You need a badge
>>> > (conference or expo) to get into this area!  Hopefully you've already
>>> > registered!
>>> >
>>> > See the signage banners at:
>>> >
>>> > http://orbitvisual.com/concordia/concordia_banner1.pdf
>>> > http://orbitvisual.com/concordia/concordia_banner2.pdf
>>> >
>>> > Directional boards will be placed in high traffic on Monday for
>>> > attendees (no logos on these signs).  We discussed per-table signs; we
>>> > hadn't planned on per-table signage, but then realized we needed a way
>>> > to distinguish each table!  Dervla will print simple 8.5x11 pages with
>>> > participant logos and get plastic stands.
>>> >
>>> > See the Moscone Center floorplan:
>>> >
>>> > http://www.moscone.com/mtgplanners/floorplans/northsouth/esplanade.shtml
>>> >
>>> > If you have questions or issues, Dervla's mobile is 415-948-3650.
>>> >
>>> > Interop participants will be expected to come up and do a quick demo
>>> > at the podium, in alphabetical order.  They should each count on a
>>> > "time budget" of about 15 minutes total for setup, demos, and any
>>> > slides or other presentation material, assuming the initial talk lasts
>>> > an hour.  Participants should be prepared with any special video
>>> > conversion dongles they might need.  The New Zealand State Services
>>> > Commission will present as an "honorary" demo participant; they have
>>> > been doing an InfoCard+SAML POC and have some lessons to share.
>>> >
>>> > == Endpoints ==
>>> >
>>> > We have five up so far: Microsoft, Oracle, Internet2, Ping Identity,
>>> > SymLabs
>>> >
>>> > http://projectconcordia.org/index.php/RSA_IOP_Endpoints
>>> >
>>> > Pat reports that Sun is working on its endpoints with a target of the
>>> > end of the week.
>>> >
>>> > Scott asks: Are people going to be able to demo against other people's
>>> > IdPs?  Pat says that's his goal.
>>> >
>>> > Ashish asks: Are the managed cards going to have the appropriate
>>> > choice among the five "authentication context" claim types in them?
>>> > Successful interop should result in only a card with the requested
>>> > authn claim type being selectable.  This isn't quite working yet as
>>> > far as we can see, but people are working on it.  Caleb wasn't
>>> > planning on putting this into wauth but will try.
>>> >
>>> > What version of WS-Federation is being targeted in the Microsoft
>>> > implementation?  Caleb will get a definitive answer today.  The wreply
>>> > vs. wrealm usage raises a question about our original reasoning on
>>> > this.  The wiki currently says WS-Fed 1.1, but the namespace is more
>>> > like the Passive Interop Profile version.  It's not useful to document
>>> > too thoroughly what we had to do to get the interop to work next week,
>>> > because many participants are using developer builds rather than
>>> > shipping products, but the interop work is useful to highlight issues
>>> > that need to be solved by ship-time.
>>> >
>>> > Please send Eve any corrections to the participation matrix because
>>> > this appears in the slides.
>>> >
>>> > == Side-discussion of how to represent Levels of Assurance ==
>>> >
>>> > Eric has been working on a proposal for a SAML profile that uses the
>>> > authentication context data structure for conveying levels of
>>> > assurance.  But the input from Scott is that people tend to use
>>> > attributes today instead, partly because it's easy to parse and partly
>>> > because it's multi-valued in some cases.  Eve suggests that maybe a
>>> > better approach, learning from this, is an attribute profile.
>>> >
>>> > == Next meeting ==
>>> >
>>> > We'll have a two-hour meeting 10am-noon PT on April 22 to digest what
>>> > we learned at the workshop.
>>> >
>>> > And if anyone feels the need for a quick call on Friday as things get
>>> > down to the wire, let Eve know!
>>> >
>>> >
>>> > Eve Maler                                         +1 425 947 4522
>>> > Principal Engineer                            eve.maler @ sun.com
>>> <http://sun.com>
>>> > Business Alliances group                    Sun Microsystems, Inc.
>>> > _______________________________________________
>>> > Community mailing list
>>> > Community at projectconcordia.org
>>> > http://lists.projectconcordia.org/mailman/listinfo/community
>>> >
>>> > Participating in this discussion list does not grant any intellectual
>>> property rights or any commitment by the participants of the content
>>> discussed to any organization.
>>> >
>>> >
>>> >
>> 
>> --
>> Paul Madsen            e:paulmadsen @ ntt-at.com <http://ntt-at.com>
>> NTT                    p:613-482-0432
>>                        m:613-282-8647
>>                        aim:PaulMdsn5
>>                        web:connectid.blogspot.com
>> <http://connectid.blogspot.com>
>> 
>> _______________________________________________
>> Community mailing list
>> Community at projectconcordia.org
>> http://lists.projectconcordia.org/mailman/listinfo/community
>> 
>> Participating in this discussion list does not grant any intellectual
>> property rights or any commitment by the participants of the content
>> discussed to any organization.
>> 
>> 
>> 
>> _______________________________________________
>> Community mailing list
>> Community at projectconcordia.org
>> http://lists.projectconcordia.org/mailman/listinfo/community
>> 
>> Participating in this discussion list does not grant any intellectual
>> property rights or any commitment by the participants of the content
>> discussed to any organization.
>> 
>> -- 
>> ____________________________________________________
>> Eric  Tiffany             |  eric at projectliberty.org
>> Interop Tech  Lead        |  +1 413-458-3743
>> Liberty Alliance          |  +1 413-627-1778 mobile
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectconcordia.org/pipermail/community/attachments/20080401/d90bdbcd/attachment-0002.html

More information about the Community mailing list