[WG-IDAssurance] Relying Party Assertions
rainer at hoerbe.at
Tue Mar 1 14:08:32 EST 2011
Automated policy negotiation with OIDs in X.509 was mostly a failure so far, because of poor implementation in open systems, and lack of necessity in closed systems. But I wonder whether its use cases were properly conceived. Policy negotiation happens usually when parties initiate a business relationship. The idea of computational contracts is that the infrastructure can negotiate that by using some assertions from a trusted third party. However, that will only work for well-defined and accepted policies. Being part of a specific jurisdiction (like EU DPD applies) is quite rough and I wonder if that is either specific enough to implement a policy, and whether this is only an infrastructure concern, or if it should be implemented on the business level. If it is something on the business level, it will not be some SAML artifact, but rather some other web service.
Some standards were written in the past with some vision in mind, to show what is possible (like X.509, SAML AuthN context IMHO), but got never completed. That produces dead specs that leave questions and risk for implementors. Therefore let us keep the (metadata) spec lean & clean.
I think that using just a LoA or LoP (once it is defined and accepted) and not more in the meta data would be a good start. Other well-defined, specific policies with a widely recognized certification would be OK as well.
Am 01.03.2011 um 18:55 schrieb John Bradley:
> Hi Ben,
> The ECP client for SAML is not widely deployed. Something like 99.0% of interactions are initiated via the redirect binding, much like openID.
> Requests may or may not be signed. Using Certificate extensions in the RP certificate would be an interesting interoperability challenge.
> The Federation interoperability WG is looking at ways to communicate this sort of Entity information foe trust frameworks.
> For the FICAM trust framework the certification of the Identity provider is communicated via the SAML meta-data as an entity attribute.
> For a RP certification the same mechanism can be used.
> The Federation meta-data approach can be used by SAML, openID, IMI, and WS-Fed.
> The IdP has the responsibility to present the appropriate UI to convey the information to the user.
> A smart client like the IMI (InfoCard) /ECP (SAML) selector could also retrieve and present the trusted info to the user.
> The federation meta-data become something like a CA or Bridge where is cross federation using trust frameworks.
> John B.
> On 2011-03-01, at 1:54 PM, Ben Wilson wrote:
>> I was wondering whether SAML 2.0 specifies a protocol for communicating relying party privacy protection assertions to the user’s smart agent. Part of establishing an identity framework’s trust in granting access to a relying party is knowing the set of rules that a relying party must follow. Does SAML incorporate an OID structure to communicate whether the relying party is a regulated financial institution, HIPAA covered entity, a Canadian PIPEDA-governed entity, an EU DPD-governed entity, etc.? And could it include an assertion about the particular “flavor” of compliance under those regulatory frameworks? I was thinking that a trust framework would want Relying Parties to assert their data protection policies (e.g. by OIDs either in a Digital Certificate, SAML request, online directory system (LDAP/HTTP), or local table stored inside the user agent) the various policies that the RP follows or is required to follow. That way, the IdP, User, and User’s smart agent could decide what level of information to provide the RP based on the User’s personal information usage preferences. Does anyone know whether anyone else is working on such a schema?
>> Benjamin T. Wilson, JD CISSP
>> General Counsel and SVP Industry Relations
>> DigiCert, Inc.
>> Online: www.DigiCert.com
>> Email: ben at digicert.com
>> Toll Free: 1-800-896-7973 (US & Canada)
>> Direct: 1-801-701-9678
>> Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada)
>> The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank You
>> WG-IDAssurance mailing list
>> WG-IDAssurance at kantarainitiative.org
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance