security-services message

Subject: RE: [security-services] BPP vs BAP for SAML 1.1

From: Scott Cantor <cantor.2@osu.edu>
To: "'Philpott, Robert'" <rphilpott@rsasecurity.com>, jmoreh@sigaba.com,'John Hughes' <john.hughes@entegrity.com>,'Security-Services' <security-services@lists.oasis-open.org>
Date: Wed, 24 Mar 2004 14:02:20 -0500

> One doesn't have to use mutual SSL authn when using BAP.  Some of our
> customers use HTTP BASIC Auth over server-side SSL.

Yikes, if you don't mind my saying so. ;-)

> Ummm... sure - you want to probably sign assertions if you're fwd'ing.
> However, in BPP, it's the responses being signed and also, the web SSO
> assertion isn't one you should be forwarding anyway.

Yes, and both are problems with 1.1 that I think 2.0 needs to fix (so
perhaps be prepared to not like my proposal). ;-)

-- Scott

Follow-Ups:
- Re: [security-services] BPP vs BAP for SAML 1.1
  - From: Rich Salz <rsalz@datapower.com>

References:
- RE: [security-services] BPP vs BAP for SAML 1.1
  - From: "Philpott, Robert" <rphilpott@rsasecurity.com>