Versions Compared

Old Version 50

changes.mady.by.user Nathan Kopp

Saved on

compared with

New Version 51

changes.mady.by.user Jérôme LELEU

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

True.  I see three flavors of attributes.  First, you have attributes that would always be true about the user and could be looked up using only partial knowledge of the user (such as by their username).  These include things like password policy enforced and a checklist of procedures followed during signup.  Other attributes are only known once authentication has been complete, such as the timestamp and whether or not SSL was employed.  These attributes would stick around as metadata associated with the "Authentication" object.  (See the AuthenticationMetaDataPopulator interface in the current CAS implementation.)   Finally, some attributes, such as the "initial" attribute, would need to be handled as a special case.  That's because for a given Authentication, this attribute has the value of "true" at first, but then has the value of "false" for every time after that.  Note that I'm not convinced that it would be best to re-implement "renew" as a feature of LOA in this way.  Doing this gives a lot of flexibility, but it might be sufficient to think of it as a separate concern.

NEW 2 Jérôme :

I read carefully your spec. It's an excellent work, I think we're close to a solution we both agree on.

My remarks on you spec and more globally. I agree :

  • on LOA defintion based on authentication handlers ordrerd list
  • with requested "loa" parameter syntax : numeric value means a LOA and superior, name value requests specific LOA
  • that authentication handlers should be linked to user interactions (instead of credentials which are not known from LOA)
  • on using precedence for interactions when having same level of assurance.

But,

  • the user interactions part is not totally clear to me : do you want to have one screen with multiple user interactions or several screens with just one user interaction ? I think also that each interaction should be attached to credentials for further authentication
  • I still belive we can get rid of parameters just by using supports() method on authentication handler : I would say that the supports() method could have more input than just the credentials, but also Authentication, HttpServletRequest... Don't you think ?


B) Level of assurance (new)

...