OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] BPP vs BAP for SAML 1.1


> -----Original Message-----
> From: Jahan Moreh [mailto:jmoreh@sigaba.com]
> Sent: Tuesday, March 23, 2004 7:01 PM
> To: John Hughes; Security-Services
> Subject: RE: [security-services] BPP vs BAP for SAML 1.1
> 
> John -
> I am sure you have already thought about this. But just in case, there are
> two salient pro/con for BPP vs. BAP:
> 1. BAP has the advantage of being more compact on the Browser (i.e., only
> the artifact passes through the browser),
> 2. BPP has the advantage that it is "self-confirming" and does not require
> a
> (SOAP) connection from the assertion consumer to an assertion producer.

[Rob] BPP requires the use of XML-DSIG for signing/verifying the responses.
The complexity associated with setting this up can be just as onerous as
setting up a SOAP channel. The PKI fear factor is still high outside of the
security community.  While customers seem to now accept and can deal with
setting up server-side SSL, when you go beyond that to mutual authn SSL or
(yikes) DSIG, the fear factor really starts to rise. The reasons may be real
or just perceived to be real, but they are there.

BPP may perform a bit better than BAP given the need for a back-channel
call.  However, the performance gain is negated a bit by the expensive
signing/verification/cert validation steps.
> 
> I personally think that (2) outweighs (1), but that's another matter.
[Rob] I personally see little overall advantage of one over the other.  If
the customer doesn't like to deal with PKI/DSIG, we steer them to BAP.  If
they don't want to have to set up/manage the extra back-channel service,
then we'll steer them toward BPP.
> 
> Thanks,
> Jahan
> 
> ------
> Jahan Moreh
> Chief Security Architect
> 310.288.2141
> 
> -----Original Message-----
> From: John Hughes [mailto:john.hughes@entegrity.com]
> Sent: Tuesday, March 23, 2004 1:12 AM
> To: Security-Services
> Subject: [security-services] BPP vs BAP for SAML 1.1
> 
> 
> Its just crossed my mind that it might be good to have a small section in
> the SAML 1.1 Technical Overview on the pros/cons using BAP vs BPP ( and
> vice
> versa).  I can think of some - but welcome other input.
> 
> 
> John
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of
> the
> OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/security-
> services/members/leave
> _workgroup.php.
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of
> the OASIS TC), go to http://www.oasis-
> open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]