OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Digital Signature Usage in X.509 Subject Attribute Query Specifications


On Wed, Apr 8, 2009 at 6:31 PM, Anil John <aniltj@gmail.com> wrote:
> On Wed, Apr 8, 2009 at 3:31 PM, Tom Scavo <trscavo@gmail.com> wrote:
>> Well, [2} was introduced primarily because [1] was thought to be
>> overly restrictive (by me at least :) in some respects.  A synchronous
>> exchange over a protected transport need not be further protected at
>> the message level, in general.
>
> Ah.. What were the concerns raised by the other folks that felt that
> the protection was not enough?

Well, [1] came first and it met the requirements of the authors (and
their constituents) so there was no desire to change that.  Thus [2]
was born :-)

Another difference between [1] and [2] as I recall is the use of
X509SubjectName identifiers.  [2] was groping for interoperability
with respect to DNs so it mandated conformance to RFC 2253.  (Note
that the Second Edition of XML Signature goes one step further by
mandating conformance to RFC 4514, so for all practical purposes [2]
does as well.)  That said, DNs are a nightmare, so if I had it to do
over again I'd probably specify the SAML Subject differently.

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]