<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Some PAPE input below.<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" color="#000000" style="font: 12.0px Helvetica; color: #000000"><b>From: </b></font><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>></font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" color="#000000" style="font: 12.0px Helvetica; color: #000000"><b>Date: </b></font><font face="Helvetica" size="3" style="font: 12.0px Helvetica">April 23, 2009 11:38:54 PDT</font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" color="#000000" style="font: 12.0px Helvetica; color: #000000"><b>To: </b></font><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Concordia Community list <<a href="mailto:community@projectconcordia.org">community@projectconcordia.org</a>></font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" color="#000000" style="font: 12.0px Helvetica; color: #000000"><b>Subject: </b></font><font face="Helvetica" size="3" style="font: 12.0px Helvetica"><b>[Concordia] Proxying assurance between OpenID & SAML - RSA Demo report</b></font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div> </div> <div bgcolor="#ffffff" text="#000000"> NRI, NTT, and Oracle demoed the two OpenID/SAML use cases (<a class="moz-txt-link-freetext" href="http://bit.ly/ZXHt6">http://bit.ly/ZXHt6</a>) at the RSA Identity workshop this past Monday.<br> <br> Demos went well, with good interest from attendees throughout the day.<br> <br> In parallel with the demos, I gave the attached short presentation.<br> <br> The deck calls out some issues/questions for both OpenID & SAML support for assurance that the use cases teased out.<br> <br> These are<br> <br> 1) PAPE has no password policy, ie no URI comparable to phishing-resistant etc. <br> <br> For the purposes of the demo, we spun up our own. Could also be argued that, as this is the default, could be left implicit..<br> <br> 2) SAML LoA AC profile is work in progress. Until complete, can't map between OpenID's support for assurance levels and SAML's<br> <br> 3) PAPE doesnt allow a specific LOA to be reqested. PAPE allows the RP to say 'I want an answer back in terms of NIST 800 63' but not say 'I want a NIST 800 63 Level 1' assertion.<br> <br> 4) what level of detail about original authentication (who, where, what etc) should persist across proxy boundary.<br> <br> Is it useful info, do SP/RP want it?<br> <br> Should the RP/SP be able to indicate its desires?<br> <br> Related, SAML provides the <AuthenticatingAuthority> element, OpenID nothing equivalent.<br> <br> 5) how to deal with possible assurance inequality between protocols. If two protocols differ in their ability to carry assurance levels (e.g. one tops out at LoA 2, another 3), what should the proxy do? <br> <br> Some issues would appear to imply waiting for a rev to PAPE (the schedule for which I do not know) ...<br> <br> Your thoughts welcome<br> <br> Paul<br> <br> <div class="moz-signature">-- <br> <font size="-1">Paul Madsen<br> e:paulmadsen @ ntt-at.com<br> m:613-282-8647<br> web:connectid.blogspot.com<br> </font><a href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"></a></div></div></blockquote></div></body></html>