OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] comments: sstc-saml-holder-of-key-browser-sso-draft-01

Let me follow up here since this same confusion was evident in the Liberty
world when I first proposed the SSOS work there.

What you're talking about, I think, is a synchronous request/response
profile for sending an AuthnRequest and returning an assertion. You state
that it's HoK, but in fact I think you'll agree that the conf method is
immaterial. What matters is that the requester's authentication to the IdP
justifies the method returned (which is in fact what core says).

I fully support this use case, which is why I proposed it in Liberty. I
happen to believe that using HTTP for it is silly, however, because it's
such a constrained protocol when it comes to authentication. I think SOAP
makes more sense since it allows for flexible message-based security.

What I didn't manage to do was to merge the SOAP part of ECP with this idea
because the assumptions just didn't hold. I could have added all kinds of
conditional language, but that just muddies the result. Instead, I left ECP
alone and just defined an explicit profile for using SOAP, the AuthnRequest
protocol, and the ID-WSF binding and security work to make up the exchange.

Now, should there be a SAML-only SSOS? It's been raised several times, and
nobody has come up with a argument that I think makes any sense. People
refuse to use ID-WSF and then expect the SSTC to just reinvent it by
defining our own SOAP security spec here, and I just don't see that
happening.

So, *if* one starts with SOAP as the assumption, my claim is that if all you
want is TLS and HoK, you can do that with the existing Liberty SSOS, add a
couple ID-WSF headers that hurt nobody, and you're done. No new profile
needed.

Now, if you throw out SOAP, then yes, I agree, you would need a new profile,
mainly just a copy of the Liberty SSOS that takes out ID-WSF, uses a new
HTTP binding, and relies on HTTP-compatible authentication or message
signing for the security. I'll even help somebody write it if they need
help.

I simply don't think that is this document.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]