[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] Proposed SAML defaults for interoperability event
> > As far as the SOAP binding goes, we would prefer mutual
> > authentication (client certificates) It is more secure and
> > actually easier to implement. (no need to manage passwords,
> > do basic auth header, etc.) Since we propose to exchange
> > trust roots anyway, you can use the same key/certificate for
> > both client and server ends.
> We prefer mutual auth with client certificates. We don't
> require a shared
> trust root for the certificates.
Just so this is clear to everybody, Ryan previously proposed exchange of trust roots as PKCS#12 objects. Each organisation can use as many or as few as they wish.
Similiarly, the SSL client and server can use distinct EE certs and keys, with the same or different cert chains. However, we have found that using the same EE cert and key for SSL client and server works just fine and makes life simpler.
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC