OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Proposed Agenda for SSTC Conference Call,Dec 23

> Note that the WSS SAML token profile describes how assertions
> may be chained such that SAML assertions (and other types of
> security tokens) referenced (by STR) from the  confirmation
> method of an assertion may be used to identify additional subjects
> (i.e. proxies) as part of the confirmation method sepcification of an
> assertion.

This point is actually a bit more relevant to the work item on SSO proxying
(proxies are really just an optional implementation detail of the LECP work
item).

But note that this model of incoporating existing SAML tokens by reference
as subject confirmation is fundamentally unusable in deployments with
privacy-preserving identifiers. You can't expose the principal's identifier
to the new relying party in the chain, and you can't encrypt it without
breaking the signature.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]