> From: Ben Laurie [mailto:[EMAIL PROTECTED]
> This seems like a worthy goal, but one that is perhaps > orthogonal to other means of authenticating users. Certainly > I'd be violently opposed to requiring users to have smartcards. Violently? The authentication infrastructure should enable use of any form of authentication mechanism. SAML already supports this. It is clearly an achievable goal that does not place an undue burden on the design. What we do not need to do is to support selection of selection mechanisms so the user gets a choice of GSSAPI, SAML, WS-*, SASL which in turn give a choice between every imaginable protocol. We need one way to authenticate via the common authentication mechanisms: Passwords, Two Factor (OTP) Passwords, PKI signature, PKI encryption, Passthrough of biometric data capture. All of these can be supported in a simple client - relying party - authentication service scheme where the client never talks to the auth server directly. I do not think that we need to provide direct support multiple round trip protocols such as some of the more complex zero knowledge schemes. In those cases the simplest scheme is for the client to talk to the authentication service directly. It is in any case desirable to have direct contact between the user and the auth-N service in the case of password schemes to prevent certain forms of MIM attack. _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
