28 messages in org.oasis-open.lists.security-servicesRe: [security-services] Re: ForceAuth...| From | Sent On | Attachments |
|---|---|---|
| Beach, Michael C | Oct 23, 2003 12:49 pm |  .bin, .doc |
| John Kemp | Nov 24, 2003 1:58 pm | |
| Beach, Michael C | Nov 25, 2003 11:24 am | |
| Greg Whitehead | Nov 25, 2003 11:50 am | |
| Beach, Michael C | Nov 25, 2003 12:24 pm | |
| Greg Whitehead | Nov 25, 2003 12:32 pm | |
| John Kemp | Nov 26, 2003 6:20 am | |
| Scott Cantor | Nov 26, 2003 8:22 am | |
| John Kemp | Nov 27, 2003 7:49 am | |
| Scott Cantor | Nov 28, 2003 9:30 pm | |
| Conor P. Cahill | Nov 29, 2003 2:14 am | |
| Conor P. Cahill | Nov 29, 2003 2:25 am | |
| Conor P. Cahill | Nov 29, 2003 2:27 am | |
| John Kemp | Nov 29, 2003 5:54 am | |
| Conor P. Cahill | Nov 29, 2003 11:35 am | |
| Beach, Michael C | Nov 29, 2003 11:37 am | |
| John Kemp | Nov 29, 2003 11:52 am | |
| Beach, Michael C | Nov 29, 2003 11:59 am | |
| Beach, Michael C | Nov 29, 2003 12:03 pm | |
| Conor P. Cahill | Nov 29, 2003 1:46 pm | |
| Conor P. Cahill | Nov 29, 2003 2:59 pm | |
| Anthony Nadalin | Nov 30, 2003 5:23 pm | |
| Conor P. Cahill | Nov 30, 2003 7:18 pm | |
| Conor P. Cahill | Dec 1, 2003 4:16 am | |
| Anthony Nadalin | Dec 1, 2003 9:31 pm | |
| Conor P. Cahill | Dec 2, 2003 4:38 am | |
| Anthony Nadalin | Dec 3, 2003 4:36 am | |
| Conor P. Cahill | Dec 3, 2003 4:54 am |
| Subject: | Re: [security-services] Re: ForceAuthn (was Use Cases) | |
|---|---|---|
| From: | Conor P. Cahill (conc...@aol.com) | |
| Date: | Nov 29, 2003 11:35:00 am | |
| List: | org.oasis-open.lists.security-services | |
John Kemp wrote on 11/29/2003, 8:59 AM:
On Saturday, Nov 29, 2003, at 05:31 US/Eastern, Conor P. Cahill wrote:
I like to think of ForceAuthn as the SP asking the IdP to do whateve it takes so that the IdP can update the AuthenticationInstant in the assertion at this time.
And that is my understanding too. I was merely pointing out that Scott is actually right - it may not involve a user interaction, and may simply involve checking a cached cert. without any active, direct user re-authentication at all. So, the term "ForceAuthn" could be misleading.
Note that it doesn't say "ForceUserInteraction". It says "ForceAuthn" and Authn may or may not involve user interaction, depending upon what credentials are being used to validate the Authn.
This applies regardless of whether the IdP is authenticating the user for the first time during a "session" or if it is because of the ForceAuthn setting on the AuthnRequest.
If an SP needs to deterrmine if a user interaction has taken place as part of the credential validation for the user, they need to use/require an appropriate authentication context.
I guess the ultimate question though is whether we think that ForceAuthn semantics that allow a situation where the *user* is not challenged are sufficient for the SP, and if not, is this a problem?
Challenging the user is orthogonal to ForceAuthn. Challenging the user is related to the authentication context that is requested by the SP, under the control of the SP. The ForceAuthn can impact interactions, but only in conjunction with the authentication context.
So, I think things are well handled given the current set of options.
Conor