Fwd: [Concordia] Proxying assurance between OpenID & SAML - RSA Demo report
Johannes Ernst
jernst+openid.net at netmesh.us
Thu Apr 23 18:45:00 UTC 2009
Some PAPE input below.
Begin forwarded message:
> From: Paul Madsen <paulmadsen at rogers.com>
> Date: April 23, 2009 11:38:54 PDT
> To: Concordia Community list <community at projectconcordia.org>
> Subject: [Concordia] Proxying assurance between OpenID & SAML - RSA
> Demo report
>
> NRI, NTT, and Oracle demoed the two OpenID/SAML use cases (http://bit.ly/ZXHt6
> ) at the RSA Identity workshop this past Monday.
>
> Demos went well, with good interest from attendees throughout the day.
>
> In parallel with the demos, I gave the attached short presentation.
>
> The deck calls out some issues/questions for both OpenID & SAML
> support for assurance that the use cases teased out.
>
> These are
>
> 1) PAPE has no password policy, ie no URI comparable to phishing-
> resistant etc.
>
> For the purposes of the demo, we spun up our own. Could also be
> argued that, as this is the default, could be left implicit..
>
> 2) SAML LoA AC profile is work in progress. Until complete, can't
> map between OpenID's support for assurance levels and SAML's
>
> 3) PAPE doesnt allow a specific LOA to be reqested. PAPE allows the
> RP to say 'I want an answer back in terms of NIST 800 63' but not
> say 'I want a NIST 800 63 Level 1' assertion.
>
> 4) what level of detail about original authentication (who, where,
> what etc) should persist across proxy boundary.
>
> Is it useful info, do SP/RP want it?
>
> Should the RP/SP be able to indicate its desires?
>
> Related, SAML provides the <AuthenticatingAuthority> element, OpenID
> nothing equivalent.
>
> 5) how to deal with possible assurance inequality between protocols.
> If two protocols differ in their ability to carry assurance levels
> (e.g. one tops out at LoA 2, another 3), what should the proxy do?
>
> Some issues would appear to imply waiting for a rev to PAPE (the
> schedule for which I do not know) ...
>
> Your thoughts welcome
>
> Paul
>
> --
> Paul Madsen
> e:paulmadsen @ ntt-at.com
> m:613-282-8647
> web:connectid.blogspot.com
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mime-attachment.gif
Type: image/gif
Size: 23235 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.gif>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntt-madsen-rsa-concordia.ppt
Type: application/vnd.ms-powerpoint
Size: 162304 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.ppt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090423/2aba40bf/attachment-0002.htm>
More information about the specs
mailing list