Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
Agreed with Jonathan here, don't think we need to define a policy URI
for "active". Rather need to clarify what is meant in section 5.1.
(Optional) If the End User has not actively authenticated to the OP
within the number
of seconds specified in a manner fitting the requested policies, the
OP MUST
authenticate the End User for this request.
What about?
Active authentication is defined as the user providing a credential
to the OP beyond a cookie which passively stores prior authentication
credentials.
Still don't like that definition, but hopefully a few iterations and
we'll get there. Also asking around in the security community if
there is a definition for this.
--David
On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>
> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>
>> # Yep, the idea is for the PAPE spec to define a few generic and
>> # agreed upon policies and then RPs and OPs can create others. Thus
>> # if there isn't agreement on a policy, there would be multiple
>> policy
>> # URIs. Same concept as in Attribute Exchange.
>>
>> Using policy URIs to indicate certain modes of authentication is a
>> fine idea, but that doesn't really address the original issue: the
>> spec does not define "active" ("direct") authentication.
>
> Agreed. PAPE spec should define one such policy that's acceptable
> for most of the OPs/RPs (and tie auth_age to it), leaving the
> possibility open for anyone to define other similar policies.
>
> This could be a bit tricky to specify if there's another parameter
> involved, but we should be able to come up with a solution.
>
> Johnny
>
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
SAML 2.0 expresses it in terms of whether or not the authentication is
'passive'
paul
David Recordon wrote:
> Agreed with Jonathan here, don't think we need to define a policy URI
> for "active". Rather need to clarify what is meant in section 5.1.
> (Optional) If the End User has not actively authenticated to the OP
> within the number
> of seconds specified in a manner fitting the requested policies, the
> OP MUST
> authenticate the End User for this request.
>
> What about?
> Active authentication is defined as the user providing a credential
> to the OP beyond a cookie which passively stores prior authentication
> credentials.
>
> Still don't like that definition, but hopefully a few iterations and
> we'll get there. Also asking around in the security community if
> there is a definition for this.
>
> --David
>
> On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>
>
>> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>>
>>
>>> # Yep, the idea is for the PAPE spec to define a few generic and
>>> # agreed upon policies and then RPs and OPs can create others. Thus
>>> # if there isn't agreement on a policy, there would be multiple
>>> policy
>>> # URIs. Same concept as in Attribute Exchange.
>>>
>>> Using policy URIs to indicate certain modes of authentication is a
>>> fine idea, but that doesn't really address the original issue: the
>>> spec does not define "active" ("direct") authentication.
>>>
>> Agreed. PAPE spec should define one such policy that's acceptable
>> for most of the OPs/RPs (and tie auth_age to it), leaving the
>> possibility open for anyone to define other similar policies.
>>
>> This could be a bit tricky to specify if there's another parameter
>> involved, but we should be able to come up with a solution.
>>
>> Johnny
>>
>>
>>
>
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-282-8647
aim:PaulMdsn5
web:connectid.blogspot.com
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
Hey Paul,
How do you guys define "passive". Seems like the opposite problem of
defining "active".
Thanks,
--David
On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote:
> SAML 2.0 expresses it in terms of whether or not the authentication
> is 'passive'
>
> paul
>
> David Recordon wrote:
>> Agreed with Jonathan here, don't think we need to define a policy
>> URI for "active". Rather need to clarify what is meant in
>> section 5.1.
>> (Optional) If the End User has not actively authenticated to the
>> OP within the number
>> of seconds specified in a manner fitting the requested policies,
>> the OP MUST
>> authenticate the End User for this request.
>>
>> What about?
>> Active authentication is defined as the user providing a
>> credential to the OP beyond a cookie which passively stores prior
>> authentication credentials.
>>
>> Still don't like that definition, but hopefully a few iterations
>> and we'll get there. Also asking around in the security
>> community if there is a definition for this.
>>
>> --David
>>
>> On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>>
>>
>>> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>>>
>>>
# Yep, the idea is for the PAPE spec to define a few generic and
# agreed upon policies and then RPs and OPs can create others.
Thus
# if there isn't agreement on a policy, there would be multiple
policy
# URIs. Same concept as in Attribute Exchange.
Using policy URIs to indicate certain modes of authentication is a
fine idea, but that doesn't really address the original issue: the
spec does not define "active" ("direct") authentication.
>>> Agreed. PAPE spec should define one such policy that's
>>> acceptable for most of the OPs/RPs (and tie auth_age to it),
>>> leaving the possibility open for anyone to define other similar
>>> policies.
>>>
>>> This could be a bit tricky to specify if there's another
>>> parameter involved, but we should be able to come up with a
>>> solution.
>>>
>>> Johnny
>>>
>>>
>>>
>>
>>
>> ___
>> specs mailing list
>> specs@openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>>
>>
>
> --
> Paul Madsen e:paulmadsen @ ntt-at.com
> NTT p:613-482-0432
>m:613-282-8647
>aim:PaulMdsn5
>web:connectid.blogspot.com
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
Hey David, IsPassive is an attribute on the AuthnRequest that allows the
SP to indicate policy for how the user is authenticated
IsPassive [Optional]
A Boolean value. If "true", the identity provider and the user agent
itself MUST NOT visibly take control
of the user interface from the requester and interact with the presenter
in a noticeable fashion. If a
value is not provided, the default is "false".
It works in combination with ForceAuthn (which seems to fit with where
you wre going with 'active authn' below
ForceAuthn [Optional]
A Boolean value. If "true", the identity provider MUST authenticate the
presenter directly rather than
rely on a previous security context. If a value is not provided, the
default is "false". However, if both
ForceAuthn and IsPassive are "true", the identity provider MUST NOT
freshly authenticate the
presenter unless the constraints of IsPassive can be met
David Recordon wrote:
> Hey Paul,
> How do you guys define "passive". Seems like the opposite problem of
> defining "active".
>
> Thanks,
> --David
>
> On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote:
>
>> SAML 2.0 expresses it in terms of whether or not the authentication
>> is 'passive'
>>
>> paul
>>
>> David Recordon wrote:
>>> Agreed with Jonathan here, don't think we need to define a policy
>>> URI for "active". Rather need to clarify what is meant in section
>>> 5.1.
>>> (Optional) If the End User has not actively authenticated to the
>>> OP within the number
>>> of seconds specified in a manner fitting the requested policies,
>>> the OP MUST
>>> authenticate the End User for this request.
>>>
>>> What about?
>>> Active authentication is defined as the user providing a
>>> credential to the OP beyond a cookie which passively stores prior
>>> authentication credentials.
>>>
>>> Still don't like that definition, but hopefully a few iterations
>>> and we'll get there. Also asking around in the security community
>>> if there is a definition for this.
>>>
>>> --David
>>>
>>> On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>>>
>>>
On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
> # Yep, the idea is for the PAPE spec to define a few generic and
> # agreed upon policies and then RPs and OPs can create others. Thus
> # if there isn't agreement on a policy, there would be multiple
> policy
> # URIs. Same concept as in Attribute Exchange.
>
> Using policy URIs to indicate certain modes of authentication is a
> fine idea, but that doesn't really address the original issue: the
> spec does not define "active" ("direct") authentication.
>
Agreed. PAPE spec should define one such policy that's acceptable
for most of the OPs/RPs (and tie auth_age to it), leaving the
possibility open for anyone to define other similar policies.
This could be a bit tricky to specify if there's another parameter
involved, but we should be able to come up with a solution.
Johnny
>>>
>>>
>>> ___
>>> specs mailing list
>>> specs@openid.net
>>> http://openid.net/mailman/listinfo/specs
>>>
>>>
>>>
>>
>> --
>> Paul Madsen e:paulmadsen @ ntt-at.com
>> NTT p:613-482-0432
>>m:613-282-8647
>>aim:PaulMdsn5
>>web:connectid.blogspot.com
>>
>
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-282-8647
aim:PaulMdsn5
web:connectid.blogspot.com
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
