Jerome, Thanks for putting together a great first draft for the specification!
Here's one specific concrete point of discussion: In the spec so far, each authentication handler has a single attribute specifying a "supported level of assurance." I think this may need more flexibility. The actual "level of assurance" for an authentication handler might be dependent on attributes of the credentials used in each specific instance. This is most apparent when using username/password, where the password strength might differ from one user to the next. Although all users are authenticated with the same authentication handler (e.g. Against the same LDAP directory), they might not all have the same password strength and therefore not all have the same level of assurance. This concept is seen clearly in the NIST document (linked in Matt's message http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf). In the table on page 49 you can see that "Memorized Secret Token" authentication mechanism (which is basically a password) can be assigned either "Level 1" or "Level 2," based on the length/entropy of the token. A few of the other examples in the same table in the NIST document support multiple levels for a single authentication mechanism. -Nathan On 8/10/12 3:16 AM, "jleleu" <lel...@gmail.com> wrote: >Hi, > >After the discussion about LOA on this thread : >https://lists.wisc.edu/read/messages?id=18431743, I wrote the >specification for LOA. > >It's "done" here : >https://wiki.jasig.org/display/CAS/Level+Of+Assurance+Specification. > >I add new concepts or update existing ones, extend CAS protocol, describe >LOA algorithm, describe use cases and define a roadmap. >Everything is proposal of course. I did my best to design an easy >solution, fully extensible as well (nothing less ;-) > >I have two special TODO for Marvin (describe authentication API in CAS >server 4.0.0) and Nathan (add your "complex" use cases to see if it >matches my spec). > >I'm looking forward to your feedbacks. After that, I hope we can validate >the spec soon. > >Best regards, >Jérôme > >-- >You are currently subscribed to cas-dev@lists.jasig.org as: >nathan.k...@cru.org >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
