Fwd: [Concordia] Proxying assurance between OpenID & SAML - RSA Demo report

Johannes Ernst jernst+openid.net at netmesh.us
Thu Apr 23 18:45:00 UTC 2009


Some PAPE input below.

Begin forwarded message:

> From: Paul Madsen <paulmadsen at rogers.com>
> Date: April 23, 2009 11:38:54 PDT
> To: Concordia Community list <community at projectconcordia.org>
> Subject: [Concordia] Proxying assurance between OpenID & SAML - RSA  
> Demo report
>
> NRI, NTT, and Oracle demoed the two OpenID/SAML use cases (http://bit.ly/ZXHt6 
> ) at the RSA Identity workshop this past Monday.
>
> Demos went well, with good interest from attendees throughout the day.
>
> In parallel with the demos, I gave the attached short presentation.
>
> The deck calls out some issues/questions for both OpenID & SAML  
> support for assurance that the use cases teased out.
>
> These are
>
> 1) PAPE has no password policy, ie no URI comparable to phishing- 
> resistant etc.
>
> For the purposes of the demo, we spun up our own. Could also be  
> argued that, as this is the default, could be left implicit..
>
> 2) SAML LoA AC profile is work in progress. Until complete, can't  
> map between OpenID's support for assurance levels and SAML's
>
> 3) PAPE doesnt allow a specific LOA to be reqested. PAPE allows the  
> RP to say 'I want an answer back in terms of NIST 800 63' but not  
> say 'I want a NIST 800 63 Level 1' assertion.
>
> 4) what level of detail about original authentication (who, where,  
> what etc) should persist across proxy boundary.
>
> Is it useful info, do SP/RP want it?
>
> Should the RP/SP be able to indicate its desires?
>
> Related, SAML provides the <AuthenticatingAuthority> element, OpenID  
> nothing equivalent.
>
> 5) how to deal with possible assurance inequality between protocols.  
> If two protocols differ in their ability to carry assurance levels  
> (e.g. one tops out at LoA 2, another 3), what should the proxy do?
>
> Some issues would appear to imply waiting for a rev to PAPE (the  
> schedule for which I do not know) ...
>
> Your thoughts welcome
>
> Paul
>
> -- 
> Paul Madsen
> e:paulmadsen @ ntt-at.com
> m:613-282-8647
> web:connectid.blogspot.com
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mime-attachment.gif
Type: image/gif
Size: 23235 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.gif>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntt-madsen-rsa-concordia.ppt
Type: application/vnd.ms-powerpoint
Size: 162304 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.ppt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.htm>


More information about the specs mailing list