|Beach, Michael C||Oct 23, 2003 12:49 pm||.bin, .doc|
|John Kemp||Nov 24, 2003 1:58 pm|
|Beach, Michael C||Nov 25, 2003 11:24 am|
|Greg Whitehead||Nov 25, 2003 11:50 am|
|Beach, Michael C||Nov 25, 2003 12:24 pm|
|Greg Whitehead||Nov 25, 2003 12:32 pm|
|John Kemp||Nov 26, 2003 6:20 am|
|Scott Cantor||Nov 26, 2003 8:22 am|
|John Kemp||Nov 27, 2003 7:49 am|
|Scott Cantor||Nov 28, 2003 9:30 pm|
|Conor P. Cahill||Nov 29, 2003 2:14 am|
|Conor P. Cahill||Nov 29, 2003 2:25 am|
|Conor P. Cahill||Nov 29, 2003 2:27 am|
|John Kemp||Nov 29, 2003 5:54 am|
|Conor P. Cahill||Nov 29, 2003 11:35 am|
|Beach, Michael C||Nov 29, 2003 11:37 am|
|John Kemp||Nov 29, 2003 11:52 am|
|Beach, Michael C||Nov 29, 2003 11:59 am|
|Beach, Michael C||Nov 29, 2003 12:03 pm|
|Conor P. Cahill||Nov 29, 2003 1:46 pm|
|Conor P. Cahill||Nov 29, 2003 2:59 pm|
|Anthony Nadalin||Nov 30, 2003 5:23 pm|
|Conor P. Cahill||Nov 30, 2003 7:18 pm|
|Conor P. Cahill||Dec 1, 2003 4:16 am|
|Anthony Nadalin||Dec 1, 2003 9:31 pm|
|Conor P. Cahill||Dec 2, 2003 4:38 am|
|Anthony Nadalin||Dec 3, 2003 4:36 am|
|Conor P. Cahill||Dec 3, 2003 4:54 am|
|Subject:||Re: [security-services] Re: ForceAuthn (was Use Cases)|
|From:||John Kemp (onez...@bcn.net)|
|Date:||Nov 29, 2003 5:54:25 am|
On Saturday, Nov 29, 2003, at 05:31 US/Eastern, Conor P. Cahill wrote:
Scott Cantor wrote on 11/29/2003, 12:36 AM:
Well, your point is certainly well taken, but I guess I wasn't necessarily equating ForceAuthn with "InteractWithUser". To me, all this says is for the IdP to at least check the authentication status of the user, following *their* policy. This may include a user interaction, but as you point out below, it may not. So, perhaps the term 'ForceAuthn' is somewhat misleading?
"checking authn status" sounds a little light for something that I thought was meant to imply a bypassing of SSO.
I agree. I like to think of ForceAuthn as the SP asking the IdP to do whateve it takes so that the IdP can update the AuthenticationInstant in the assertion at this time.
And that is my understanding too. I was merely pointing out that Scott is actually right - it may not involve a user interaction, and may simply involve checking a cached cert. without any active, direct user re-authentication at all. So, the term "ForceAuthn" could be misleading.
For a UserName/Password authentication, this means it is a challenge to the user. For some other authentication methods (such as an X509 certificate, the IdP can challenge the client, but the IdP doesn't have control what the client does with the user, so there may be a soe cases where there is no challenge to the user).
Right - we're all in violent agreement.
I guess the ultimate question though is whether we think that ForceAuthn semantics that allow a situation where the *user* is not challenged are sufficient for the SP, and if not, is this a problem?