IETF Logo Mail Archive

Re: [OAUTH-WG] more than one assertion?

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 13 August 2010 07:50 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8450D3A68B9 for <oauth@core3.amsl.com>; Fri, 13 Aug 2010 00:50:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.657
X-Spam-Level:
X-Spam-Status: No, score=-0.657 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRwM6reW5DNk for <oauth@core3.amsl.com>; Fri, 13 Aug 2010 00:50:38 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by core3.amsl.com (Postfix) with ESMTP id 3E0023A6870 for <oauth@ietf.org>; Fri, 13 Aug 2010 00:50:36 -0700 (PDT)
Received: from [80.187.108.154] (helo=[10.164.83.122]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Ojp2l-0006HC-9S; Fri, 13 Aug 2010 09:51:11 +0200
References: <90C41DD21FB7C64BB94121FBBC2E72343B3F124503@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C8897C4C.B75E%cmortimore@salesforce.com> <AANLkTinbmx+CBJdMrf5vBuV7wqLwWDLP3vA1N2HcUMHL@mail.gmail.com> <AANLkTinsTe9vxrWsXK6p9+bfRRSyZTjb2yW8+=ux5tU_@mail.gmail.com> <AANLkTik0n-ki3d06wr=sAZCzUDq4KQ-Ahy3wwPXagG6S@mail.gmail.com>
In-Reply-To: <AANLkTik0n-ki3d06wr=sAZCzUDq4KQ-Ahy3wwPXagG6S@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8A293)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <BF619799-9D29-4486-BC0C-829F892DF4BA@lodderstedt.net>
X-Mailer: iPhone Mail (8A293)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Fri, 13 Aug 2010 09:50:22 +0200
To: Brian Campbell <bcampbell@pingidentity.com>
X-Df-Sender: 141509
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] more than one assertion?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2010 07:50:39 -0000

multiple (SAML) assertions also mean multiple subject statements. Are there any constraints regarding the relations among those subjects (identities)? 

regards,
Torsten.



Am 12.08.2010 um 22:01 schrieb Brian Campbell <bcampbell@pingidentity.com>:

> I generally agree more with Chuck, David and Brain E than I don't.
> But I do think that someone will find a pragmatic reason for > 1
> assertion eventually and I think the proposal earlier in this thread
> to allow for multiple occurrences of the assertion parameter in the
> core spec will make that easier for a number of instantiations of the
> assertion flow (grant type) at a later time.  It adds some complexity
> but I don't think a lot.  And specifications or pairwise agreements
> building on the assertion flow could easily constrain down to a single
> assertion, if it suits the profile.
> 
> That's the only change proposal to the core spec that's come out of
> discussion around my I-D
> http://www.ietf.org/id/draft-campbell-oauth-saml-00.txt (that I can
> think of).  I'm still not sure if it makes sense to allow for multiple
> assertions in the next draft of that, but allowing for multiple
> assertion params in core sure seems like a cleaner way to do it.
> 
> Yaron's proposal for a Section 2.2 on Client Assertions is a change to
> core as well (latest in that thread:
> http://www.ietf.org/mail-archive/web/oauth/current/msg04154.html)
> However, even though it uses the term assertion similarly, it's a
> distinct issue from the SAML work.  The latter is a SAML based usage
> of the assertion grant type while the former I think of it more as a
> means of allowing for stronger forms of client authentication than
> just a client password/secret.
> 
> I guess both could be used in a two-legged style interaction (or used
> together) and maybe that's where it starts to get confusing...
> 
> 
> 
> On Thu, Aug 12, 2010 at 1:38 PM, Brian Eaton <beaton@google.com> wrote:
>> On Thu, Aug 12, 2010 at 12:36 PM, David Recordon <recordond@gmail.com> wrote:
>>> I've only been half following the recent assertion threads for this
>>> exact reason. I don't understand how these proposals are going to be
>>> used and worry about any additional complexity added to the spec.
>> 
>> Likewise.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.31.3 | Report a Bug | By Email | System Status