2.0 Spec Questions
James McGovern
james at architectbook.com
Mon Jan 22 00:48:50 UTC 2007
Several questions after reading the 2.0 spec - draft 11.
1. The definition of realm if I am reading it correctly could be problematic
in large enterprises. For example, if one were using a web access management
product, they would have the ability to define a realm in terms of a listing
of discrete hosts that may or may not fit a URL pattern matching approach.
For example, I could have a demographic called consumers who could access
hosts such as http://myconsumer.example.com ,
http://printstatements.example.com, http://paybills.example.com Likewise
another demographic called Business Partner may have a different set of
hosts they can interact with.
2. In terms of checking the nonce, can we recommend that a deployment
practice should be to use the NTP protocol and point to clocks of a certain
stratum? Likewise, would it be a good idea if an association could indicate
how much skew it would accept before rejecting?
3. In terms of an extension, should an OP be able to indicate when reauth
may be required so the user doesn't assume that if they authenticate once
they are always good?
4. Some portions of the spec are heavily coupled to PKI. How should growing
users of IBE think of this?
More information about the specs
mailing list