On 7 Feb 2012, at 23:25 , Stephen Kent wrote: > federated authentication systems using certs generally seem to be > motivated because folks can make cross-certification work properly. > other federated auth systems seem to be based on having one org trust > another to assert and identity for a user know to the second, but not > the first. that's a recipe for secruity problems.
Well, at the end, having an org trust another to identify a user only known to the latter is what certificates do, don't they? The problem with federated schemas is the number of potential sources of identity, that has to become unbounded by definition. You have then to rely on federation metadata, telling you which orgs are trusted to make assertions on whom, and you need some root(s) of trust for those metadata, metadata revocation procedures, etc. And this collapses again into finding the-right-key(s)… Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: di...@tid.es Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------------- Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at http://www.tid.es/ES/PAGINAS/disclaimer.aspx _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
