[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Assertion Validation Service
The notion of an assertion validation service is floating around and appeared on the ballot, but it is not clear to me that there is significant agreement on what it means. Phill suggested that it is something like X-KISS. If so, I suggest it be called a PK validation service or something of that sort, since it is not validating assertions, but the cryptographic operations used to bind the assertions to its issuer and/or subject. Assuming this is what is intended, I see two issues. The first is procedural. In my mind this is a major change of scope in SAML and should have been presented to the rqmnts group in the form of a use case or rqmnt. It certainly seems to me to be more like a business rqmnt than a technical mechanism, as it implies various characteristics of the client systems and networks not mentioned in any current use cases. The second issue is more significant. As I understand it, XKMS (which subsumes X-KISS) has just been submitted to the W3C. It does not seem wise to have two different standards groups working on the same standard at the same time. The obvious resolution would be to have SAML simply reference X-KISS. This is ok with me, but we are faced with the same problem as with XML encryption. (Debated and balloted in the rqmnts group) It may not be completed in time for SAML. It seems impractical to reference something which does not exist. I have not been involved with XKMS. Perhaps it is destined to be swiftly ratified with little or no modification. That would eliminate the problem. Can anyone comment on this? Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC