On 5-Jun-06, at 2:23 PM, Sam Hartman wrote:
It is my impression mostly from financial sector businesses that you are going to see people verifying this information themselves (through a separate exchange with a business partner) rather than trusting the same assertion signed as part of the identity exchange.
It doesn't have to be the same assertion. There can be multiple assertions each signed by different authorities. The IdP may have authority for identifying and authenticating the person... but the other assertions that come in the exchange could be issued by other authorities. This is why in DIX we have the separation between the acquisition of an assertion and the presentation of an assertion. And why the Fetch message allows for the combination of a request for an authentication assertion with the request for attribute assertions... all with different signers. The user can then collect claims from whatever authorities they chose, before an exchange, or upon demand. The Relying Party then only needs to trust the Authority of the claim rather than where the claim is coming from. John _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
