[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups-draft-sstc-solution-profile-soap-02.pdf uploaded
>1) Use WSS to secure the AuthnRequest from Requestor to SAML Authority via: > a) Security Token Reference to identify the Subject: > i) SubjectConfirmation/KeyInfo/wsse:SecurityTokenReference > ii) Subject/wsse:SecurityTokenReference In case ii) I think (but could be wrong) that a subject represented only by a security token was intended to be expressed as only SubjectConfirmation. Is it useful to have a confirmation method perhaps that says the confirmation data will be a STR? > b) Security Token Reference to identify the Target I note current specs only identify Target in a vague way via Audience. I personally like the simplicity. Of course encryption also provides some degree of targeting. > e) Encryption to provide confidentiality Confidentiality of...? Would like to in general see us first settle on the basic use cases/semantics we want to support in the AuthnRequest protocol (or protocols) and what message bits are needed. Then a separate discussion could be had on where WSS STR's fit or don't fit in the current schema as a means of expressing some of those pieces. Just a thought. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]