[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] How does an artifact issuer "authenticate" the sender of the <ArtifactResolve> message?
> Can't the requester sign the <ArtifactResolve> message? Am I > missing something? This is somewhat off-topic, but apropos for the question...I continue to wonder how one can be confident in the sender of a message based on a signature. That authenticates the message, but not the sender, and it seems like in this case moreso than many others in SAML, you *really* care about the sender quite a lot. You could "trust" that the client is doing TLS server-auth to prevent a MitM, but that seems like a strange thing to do from the server end to protect the dereferencing of the artifact. Maybe I'm just being picky, but it's always bugged me. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]