Skip to Content.
Sympa Menu

mfa-interop - RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile

Subject: MFA Interop Working Group

List archive

RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile


Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile
  • Date: Wed, 1 Mar 2017 20:55:48 +0000
  • Accept-language: en-US
  • Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=none action=none header.from=ucop.edu;
  • Ironport-phdr: 9a23:PIYYGhKheM2M6Vba19mcpTZWNBhigK39O0sv0rFitYgeLPjxwZ3uMQTl6Ol3ixeRBMOAuq8C0LKd6vy5EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT69bL9oIhi6sQrdutQZjId/N6081gbHrnxUdupM2GhmP0iTnxHy5sex+J5s7SFdsO8/+sBDTKv3Yb02QaRXAzo6PW814tbrtQTYQguU+nQcSGQWnQFWDAXD8Rr3Q43+sir+tup6xSmaIcj7Rq06VDi+86tmTgLjhSEaPDA77W7XkNR9gqJFrhy8uxxxzY3aYI+XO/p/YqzTctwVSHFdXslKSyBNHp+wY5cNAucHIO1Wr5P9p1wLrRamCgesHuLvxSNVjXH32q061PkuEQTc0wwmAtkDt3varM/0NKgOS+y7za7IzTLeYPNTwzj97pPFcg09rvGLRbJ8a9TexlQyFw7ciFibtI/rPyuN2+gQr2SW4PBsWO2thmI9pQx8oSKjy8Uuh4XRm44Z1FPJ+T92zYs2P9G1R0F2bcS5HJZftCyXMZZ9TNk4TGFyoik6z6ULuZ6lcygOz5Qq3wbRZuCAfYSU/B7vTfucLzFmiH58f7KwnAi9/VKnyu3hSsm7y1FKrjdDktbRrHwNzwbT6s+bSvRj4kihxTeP1wfV6u1eJkA0iLbbK5omwr43lZofq1jMHijzmEnuja+WcFsr+vSw5uj6frnrqYWQOoB2hw3kPKkjmdazDOY6PwQWWmiU4+W81Lnt/U3jR7VKi+U7nKbDsJDbOcsXvK+3AwhS0ok+7hawFTGm3c8FnXYbK1JFYAiLgJb0NFHTOPz4F+uwg0ywkDd3wPDLJrzhApPRIXjElbfheLF960hGxAo019Bf6ItYCrQPIP3pQ0PxtdrYDgMnPAyuxObnEM5w1ocfWWKUHq+ZK73evUWJ5uIpP+mDepUVuDDjJPg5+fLil2E2lkIAffrh4ZxCInW2F7FnJVmUe330qtYHGmAPuw04CuvwhxfKBTtdbjOzWb4x/DYjIIOgBoDGQ4erxrub03HoMIdRYzVrEFGHWVjvcImBUvFEPA+II8QnvTsDWb2oTac83ha28gL21uw0faLv5iQEuMe7h5BO7OrJmERq+A==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

>> For clarity, I should have said "originally". When I described our
>> logic behind using AuthnContexts they modified the profile. So as I
>> understand it they are back to using AuthnContext as per the profile.

>If so, then I think my comment to them stands, I'd still like to see
>something defined for "not MFA" for completeness to cover all the bases.

Gotcha.

At the risk of forwarding all the REFEDS threads to this list, there was also
a back and forth on "minimum vs. exact".

With their attribute based model, they allowed an SP to say "I require
minimum good-entropy" (lower level than MFA) and for the IdP to respond with
"I did MFA". That doesn't work with AuthnContext if you presume AuthnContexts
IdPs are only doing "exact" matching. They changed language to talk about
requesting multiple authncontexts in priority order (which was actually the
specific question I asked you off list) as we called out in this workgroup.

I'm guessing their looking at these profiles as implicitly hierarchical was
also a factor in not seeing the value of having "Basic" defined.

--- Eric

Archive powered by MHonArc 2.6.19.

Top of Page