On Tue, Mar 21, 2006 at 04:09:56PM -0500, Robert Yates wrote: > Nicolas Williams wrote: > >By "automatically downloaded" in (4) I assume you also mean "when I'm > >not around," by which you would probably mean that you want some form of > >authentication mechanism/credential that doesn't require human > >interaction to use. > > > >Have I guessed correctly? > > > > > yes, 4 is actually an attempt to make two points, one is that I am not > around, the other is that my "feedreader" is an http "rich client" i.e. > it is NOT a browser.
The second point to me translates as "forms&cookies is no good for authentication" and follows from the need, generally, for human interaction to properly fill in forms. > >>3. is almost covered by dmd1 and SAML but I still don't understand how I > >>either get the persona-url from an e-mail or an e-mail from a persona-url. > >> > >> > > > >Presumably you'd be signing these e-mails somehow, no? S/MIME, or PGP? > > > >:) > > > > > Sorry, I should clarify, added the word "address" to my statement below. I repeat my comment :) > I still don't understand how I either get the persona-url from an e-mail > address or an e-mail address from a persona-url. I haven't gotten that far with understanding the DIX materials, but I'd like to restate your point (3) as: users (and apps) need to be able to create access controls that refer to the identities (or attributes thereof) that they 'meet'. In your example the problem is that the 'meeting' happens in a context (e-mail) apart from the world where DIX is applicable. Is this restatement correct? > >I don't see why SAML can't handle (4), assuming I guess correctly what > >you meant by (4), since SAML doesn't handle authentication mechanisms > >directly, so that as long as you can authenticate to your IdP with some > >mechanism/credential that requires no interaction then SAML should not > >require interaction either. > > > > > There is a SOAP binding for SAML, but AFAIK no binding to straight http > i.e. REST web services. It is not possible, for example to use SAML > with feedreaders. So apple's iPhoto could not use SAML if it continues > to use feeds for Photocasting. Hmmm, I'm not sure this is right, but what is right is that the way to use SAML in HTTP is not as easily abstracted from the application as an authentication layer in the HTTP protocol would, and I'm not sure that DIX is any different from SAML in this sense. Nico -- _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
