El 10/01/11 20:17, Sam Hartman escribió:
Things get a lot more messy when assertions from multiple IDPs are
included.
What does it mean to include them in the AAA transport? I can think of
several trust models that are appropriate depending on deployment:
* The IDP corresponding to the subject's NAI has validated these
additional assertions and wishes to assert that the attributes can be
trusted. "If you trust me then you should trust these." Here, the
assertions are being included either for convenience of packaging the
attributes into some form the RP can process or because it is possible
that the RP may be able to validate some signature and trust the
attribute source more than the IDP.
It should require a trust relationship between attribute providers and
idp, in order to validate attribute assertions before to sent them all
together to the RP. I just want to remark the requirement of this trust
relationship.
* The subject IDP has performed SAML validation on the
assertions. However the IDP is making no claims about how trusted the
attributes included in the additional assertions are. Even if the IDP
would be permitted to make a claim made in an additional assertion,
the RP needs to make an independent policy decision about whether the
actual issuer should be permitted to make that claim.
you could include here XACML
* Here are some assertions for the RP's convenience. The IDP makes no
claims about them; not even the implied claim that they have not been
modified in transit. They better be signed, the RP better have
metadata for their issuer, and the RP is more or less on its own.
I'm not sure to understand this point. Do you need the trust
relationship between RP and idP?
Another source of complexity surrounds how an IDP links an assertion to
a subject. What confidence is the RP asserting that the additional
assertion describes the same principal as the access-accept message.
Another potential source of complexity is how does the IDP know what
information to gather? Does the IDP just know somehow? Does the RP pass
information back?
The RP could request specific attributes in a SAML Attribute Query.
Beside, idP/attribute provider could decide what attributes be disclosed
to the RP, by means of attribute release policies (XACML?)
regards, Gabi.
How does the RP make the policy decisions it needs to make? How does it
get metadata that is needed?
I think this sort of issue will also have impacts for kitten, because
we'll need to describe it in the naming extensions interface. It seems
like ABFAB is not going to be the only group facing these sorts of
discussions; Kerberos is in the middle of a similar discussion right
now.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
--
----------------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: [email protected]
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
