Presence and IntComm WG

[Tom Scavo <>]

On Thu, Nov 5, 2009 at 6:50 PM, Rodney McDuff 
<>
 wrote:
>
> 1) create a SP which  once  a user is authenticated  creates a one-time
> password and inserts it into the xmpp server database for that user and
> downloads to the user a modified JNLP file with the one time password
> and JID in it to the user.
> 2) modify the jeti application to get the one time password and JID from
> the JNLP file and start up jeti pre-configured for the user with JID,
> password (and other preferences?)

Ah, this is the same technique used by the GridShib CA. In this case,
the downloaded Java code makes an X.509 certificate request to the CA,
which issues a short-lived end entity certificate to the client. As a
result, the client has an X.509 credential that it can use to
authenticate to grid services. The credential is a standard X.509
credential so it can be used for anything really (as long as the
relying party trusts the GridShib CA of course).

An interesting twist is that the GridShib CA can bind a SAML assertion
to the X.509 certificate. The SAML assertion can be the one obtained
from the user's identity provider or a special assertion issued by the
CA. The authentication context and user attributes in the X.509-bound
SAML assertion can be used for access control at the relying party.

Tom