RE: [security-services] Comments on SAML 2.0 Core draft-19...

["Scott Cantor" <cantor.2@osu.edu>]

> > I disagree.  The schema should represent typical usage and
> > not anything about UI principals.
> 
> Well, this attribute is only about user interfaces.

Right, but what's the "common" user interface? In SSO applications (of which
Liberty use cases are just a subset, if you don't mind my saying), the
common UI is you redirect from the resource to a login page. People "get"
this, it's not a new concept on the web.

> Hum. not my reading ... an IDP must establish the identity
> of the principal. If policy requires direct interaction,
> then IsPassive=0 is required.

In most cases, IsPassive=1 means that the user had better already be
authenticated. That's not a common presumption in these systems, so using it
is really for cases where an SP would *like* the user to maybe get logged
in, but doesn't really need it yet, seems to me.

> Okay, then a majority of the time the SP is saying: "I've
> taken pains to set this up with the user." In terms of security,
> this is testiment that "I (the SP) have done what is to be
> expected (for this context) to prevent the user from 
> responding to an interposed redirection and etc." 

On the web, this seems impossible to me. The spoofing/phishing attacks are
plentiful and moderately unstoppable without steps that have little to do
with SAML. We could spend hours on it, but it's immaterial here.

The only question should be "what's the common case, for whatever reason?".
I think it's false.

-- Scott