[WG-UMA] New version of draft

Eve Maler eve at xmlgrrl.com
Tue Jul 20 09:56:43 EDT 2010


Catching up slowly from last week's absence...  I see that these matters were discussed in the telecon last week. Here is an attempted summary of the state of play; let me know if I've got it wrong.

Trust framework certification is a real-life example of why it's useful to strongly authenticate the client. The client ("RP") metadata as a whole could be signed by the client itself and the signature could be verified by the authz server (credential issuer), and/or individual pieces of metadata could be signed e.g. by the trust framework provider.

So a question for us would be: Does requirement 2.3, "The authorization server must have the option of strongly authenticating the client and its metadata", suggest that we should specify exactly how to achieve this in our I-D proposal? It seemed like people were interested in documenting how to sign "pushed" metadata as well as how to handle signed metadata that is "pulled". I'm thinking it would be simpler to assume that the push case is low-authentication/assurance, and leave signing out of the picture, concentrating on the higher-authentication case only for pull.

So, does the dynamic registration I-D need to be revised according to last week's discussion?  What needs to happen to get it into final shape for contribution?

	Eve

On 15 Jul 2010, at 5:37 AM, Domenico Catalano wrote:

> Hi,
> 
> here some thoughts about extending client registration for special case...
> 
> A special case of Client Registration is when the Host (in UMA terminology) is an Identity Provider/Claim Issuer (as discussed in the Trusted Claim approach).
> 
> For trust management reason, the Authorization Server, in order to verify the client's Identity Assurance Level, may checks IdP (whitelist) from a Trust Framework provider (also discussed in the doc Trusted Claim approach - Identity assurance feature sub-paragraph - sent out by Eve).
> 
> To comply this specific scenario, the (push) client registration request may also includes the following parameters:
> 
> - IdP domain name (e.g. idp.booble.com)
> - Level of Assurance (e.g. LOA_Reference=2)
> - Trust Framework provider reference (e.g. https://secure.globaltrust.org/IdP/whitelist)
> 
> (attached a diagram/flow about Client-Authorization Server and TFP interactions).
> 
> Advantages:
> 1. Authorization Manager is able to verify if the IdP domain is certified from a TFP with which LOA, before to release client_id and secret.
> 2. Authorization Manager obtains "certified meta-data" from the TFP about the IdP.
> 
> 
> The following links provide an interesting references about trust management aspects:
> - http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf   (par. 2.7 Programmed Trust pag. 15)
> - http://www.xmlgrrl.com/blog/publications/#oitf
> 
> hope it's useful for the discussion.
> 
> Domenico
> 
> <PastedGraphic-3.pdf>
> On Jul 12, 2010, at 11:29 AM, Christian Scholz wrote:
> 
>> Hi!
>> 
>> I updated the draft to include Maciej's spec, Thomas' intro and did some
>> wording stuff of my own. I also included a TODO section where might want
>> to choose a task :-)
>> 
>> You can find it at:
>> 
>> http://mrtopf.clprojects.net/uma/
>> 
>> The source code can be found at
>> 
>> http://github.com/mrtopf/UMA-Specifications
>> 
>> Feedback and text changes etc. are welcome! (I don't think it needs
>> to be 100% perfect to be submitted but I would like to have those
>> questions answered, e.g. about signing and more about the authorization
>> requirement).
>> 
>> -- Christian
>> 
>> 
>> 
>> -- 
>> Christian Scholz                          Homepage: http://comlounge.net
>> COM.lounge GmbH                                    http://mrtopf.de/blog
>> Hanbrucher Str. 33                             http://twitter.com/mrtopf
>> 52064 Aachen                                             Skype: HerrTopf
>> Tel: +49 241 400 730 0                                  cs at comlounge.net
>> Fax: +49 241 979 00 850                                      IRC: MrTopf
>> 
>> Podcasts:
>> Der OpenWeb-Podcast (http://openwebpodcast.de)
>> Data Without Borders (http://datawithoutborders.net)
>> Politisches: http://politfunk.de/
>> Technical: http://comlounge.tv/
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> 
> 
> 
> 
> Domenico Catalano | Identity Architect | +39.335.7257896
> Oracle Fusion Middleware
> via G. Romagnosi - 00142 Rome, Italy
> 
> 	Oracle is committed to developing practices and products that help protect the environment
> 
> 
> 
> 
> 
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100720/b94879e1/attachment.html 


More information about the WG-UMA mailing list