[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Digital Signature Usage in X.509 Subject Attribute Query Specifications
On Wed, Apr 8, 2009 at 6:31 PM, Anil John <aniltj@gmail.com> wrote: > On Wed, Apr 8, 2009 at 3:31 PM, Tom Scavo <trscavo@gmail.com> wrote: >> Well, [2} was introduced primarily because [1] was thought to be >> overly restrictive (by me at least :) in some respects. A synchronous >> exchange over a protected transport need not be further protected at >> the message level, in general. > > Ah.. What were the concerns raised by the other folks that felt that > the protection was not enough? Well, [1] came first and it met the requirements of the authors (and their constituents) so there was no desire to change that. Thus [2] was born :-) Another difference between [1] and [2] as I recall is the use of X509SubjectName identifiers. [2] was groping for interoperability with respect to DNs so it mandated conformance to RFC 2253. (Note that the Second Edition of XML Signature goes one step further by mandating conformance to RFC 4514, so for all practical purposes [2] does as well.) That said, DNs are a nightmare, so if I had it to do over again I'd probably specify the SAML Subject differently. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]