Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
Paul Madsen
paulmadsen at rogers.com
Mon Oct 22 22:32:20 UTC 2007
Hey David, IsPassive is an attribute on the AuthnRequest that allows the
SP to indicate policy for how the user is authenticated
IsPassive [Optional]
A Boolean value. If "true", the identity provider and the user agent
itself MUST NOT visibly take control
of the user interface from the requester and interact with the presenter
in a noticeable fashion. If a
value is not provided, the default is "false".
It works in combination with ForceAuthn (which seems to fit with where
you wre going with 'active authn' below
ForceAuthn [Optional]
A Boolean value. If "true", the identity provider MUST authenticate the
presenter directly rather than
rely on a previous security context. If a value is not provided, the
default is "false". However, if both
ForceAuthn and IsPassive are "true", the identity provider MUST NOT
freshly authenticate the
presenter unless the constraints of IsPassive can be met
David Recordon wrote:
> Hey Paul,
> How do you guys define "passive". Seems like the opposite problem of
> defining "active".
>
> Thanks,
> --David
>
> On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote:
>
>> SAML 2.0 expresses it in terms of whether or not the authentication
>> is 'passive'
>>
>> paul
>>
>> David Recordon wrote:
>>> Agreed with Jonathan here, don't think we need to define a policy
>>> URI for "active". Rather need to clarify what is meant in section
>>> 5.1.
>>> (Optional) If the End User has not actively authenticated to the
>>> OP within the number
>>> of seconds specified in a manner fitting the requested policies,
>>> the OP MUST
>>> authenticate the End User for this request.
>>>
>>> What about?
>>> Active authentication is defined as the user providing a
>>> credential to the OP beyond a cookie which passively stores prior
>>> authentication credentials.
>>>
>>> Still don't like that definition, but hopefully a few iterations
>>> and we'll get there. Also asking around in the security community
>>> if there is a definition for this.
>>>
>>> --David
>>>
>>> On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>>>
>>>
>>>> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>>>>
>>>>
>>>>> # Yep, the idea is for the PAPE spec to define a few generic and
>>>>> # agreed upon policies and then RPs and OPs can create others. Thus
>>>>> # if there isn't agreement on a policy, there would be multiple
>>>>> policy
>>>>> # URIs. Same concept as in Attribute Exchange.
>>>>>
>>>>> Using policy URIs to indicate certain modes of authentication is a
>>>>> fine idea, but that doesn't really address the original issue: the
>>>>> spec does not define "active" ("direct") authentication.
>>>>>
>>>> Agreed. PAPE spec should define one such policy that's acceptable
>>>> for most of the OPs/RPs (and tie auth_age to it), leaving the
>>>> possibility open for anyone to define other similar policies.
>>>>
>>>> This could be a bit tricky to specify if there's another parameter
>>>> involved, but we should be able to come up with a solution.
>>>>
>>>> Johnny
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>>
>>>
>>>
>>
>> --
>> Paul Madsen e:paulmadsen @ ntt-at.com
>> NTT p:613-482-0432
>> m:613-282-8647
>> aim:PaulMdsn5
>> web:connectid.blogspot.com
>>
>
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-282-8647
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the specs
mailing list