RE: [security-services] Some tech overview comments

["Nick Ragouzis" <nickr@enosis.com>]

Scott wrote:
> > While you rightly point out that given a lot of design latitude
> > you might do something entirely different, I've seen folks think
> > of ECP as a panacea, and get mired.
> 
> I've seen at *least* that much from people that start with the browser
> profile, so if you're arguing that's going to work better, I 
> would have to disagree. It leads to a lot really broken and wacky 
> profiles.
> 

Agreed. One leads to the other ... group hysteresis-comes-hysteria. 
I'm only seeking that balance ... which given the multitude of the
straight-forward SSO cases, and on the other side the magnetic charm 
of complexity and 'enhancement', would seem to be to strike a somewhat 
equanimous posture about ECP.

> ... this focus on keeping inside the lines is a big contributor to 
> SAML's "over-abstractness" and inability to compete with alternatives 
> that don't play nicely inside the abstract boxes.

> ... but it's past time SAML profiles stop leaving everything out of 
> scope. We argue for days over things like AuthnInstant and still leave 
> 90% of the work to deployers without seeing there's a problem there. 

I don't argue with that, with unsatisfactory consequences in both spheres: 
the biota of alternatives, and the legions of deployers (defeated, cowed,
scared, or trimphant). 

But I can hardly imagine the world-view debates once those gates opened. 

--Nick