On 18-Jan-06, at 7:16 PM, Suresh Venkatraman wrote:
I think that it is part of the protocol. I'm saying that we don't
define
any authentication mechanisms, but we do allow the parties to
say which they can do, and which they are willing to accept.
In dmd1 a HS advertises it's capabilities, which might include
the authentication mechanisms it supports, and a MS can
decide whether to accept assertions from that HS or not.
In DMD1 (Section 5.10.1.5) there is mention of an authentication
requirement
scenario but it kind of leaves negotiation out of the discussion.
Unless you
mean that member sites individually dictate authentication
requirements
every time a fetch-request is made?
DMD1: dix://crypto-doodes.com/dongle#5
Yes and No. Yes the Membersite does it, but No it's not per message.
It's per MS/HS relationship. When the MS discovers the HS capabilities
(by pulling the HS Document and looking for the Homesite Tag) it can
make a determination of whether the HS supports appropriate
authentication methods or not.
A per message solution is possible thus: In a fetch request the MS
requests a claim from the HS that the authentication was performed
using a particular method. DMD1 facilitates this, but doesn't define
what property the MS would ask for, or what the claim would actually
look like.
John
_______________________________________________
dix mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/dix
