> I'd certainly expect a schema or derictory organization to indicate if > information was being stored in the directory that the directory > itself was not vouching for.
How would that indication be done? That doesn't match the reality. Many directory attributes contain a lot of ambiguity about who is actually in control of the values. This doesn't become in issue because you switch the encoding from ASN.1 to XML. > Actually we have been somewhat explicit about some of this. > For example, in the case of NSS (ldap nis etc) we've at least implicitly > said that a client can trust account information from a directory. That's an application choice, then, I guess by assuming away the possibility of referrals and multiple domains of authority. Federated applications can't ignore these issues, though, and currently they don't get this for free from the infrastructure. If you want to go there, this all gets much harder. > However in the case of PKI-related attributes we've not made this trust > assumption. If I find a certificate in a directory I'm still expected > to perform cert validation according to the PKIX specs. Validating the certificate often results in an implicit acceptance of the information in it as being vouched for by the issuer, though. That's no different than authenticating the LDAP server or the IdP. But it isn't really explicit in the standards, any more than it is with LDAP or SAML. In PKI, it's the CPS and what not that are supposed to address it (and that's not machine-level). > We're explicitly saying with draft-ietf-saml-aaa that a RP SHOULD trust > the information and not perform validation for the authentication > response. We need to do that in order to get interoperability. Once > we've done that, we need to make it clear when that doesn't hold. I think you're talking about two different kinds of trust here. The SHOULD in the draft AFAIK is referring to the technical trust that it was duly issued by the issuer and hasn't been tampered with. It wasn't AFAIK meant to say anything about the "truth" of the contents. One point that does come up in SAML is that you can have conditions that limit the validity. I'm not sure if that aspect of validation has been assumed away or not, but it's not critical to this particular thread right now. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
