[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: W-15: RE: [security-services] Second use case for thedelegation/tiered model
> My question is whether there is any change needed to the web browser > profiles? Or is it the case that the additional step (from intermediate to > back-end service provider) is simply layered on top of the browser to > intermediate step? I left that undefined, but I believe it's a hard question to answer until we develop a working model of what the 2.0 profiles will be, and in turn that has to be done with an eye on this kind of use case. Based strictly on 1.x, there are fairly few reasons why a SSO assertion couldn't be made forwardable (mainly the lack of a signature). I don't believe short lived assertions add any protection to those profiles, and they cause problems when discussing sessions. There are obviously still privacy and delegation issues to look at. With pair-wise identifiers and some of the other ID-FF differences, there are many more privacy implications and also differences that make the assertions less forwardable (use of Audience in the POST profile, for example). OTOH, ID-FF mandates the signing of the SSO assertion, making it more forwardable than SAML. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]