[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] NIST prohibits use of SAML assertions at LOA4
On 6/27/08 1:46 PM, "SCOTT CANTOR" <cantor.2@osu.edu> wrote: >> Well, this is truly bizarre. > > It's not new, that's how the previous document was, AFAIK. The current version doesn't explicitly forbid assertions. 800-63 v1.02 says "Level 4 authentication is based on proof of possession of a key through a cryptographic protocol" and I would consider SAML protocols to satisfy that. > > Well, it's interpreted in light of the fact that browsers cannot perform > proof operations with SAML assertions. What they want is not PKI in general, > but PKI between the relying party and the client. More than a bearer token, > in other words. There's plenty to be said for that argument. I'm not sure why the browser is part of the equation. The assertions are signed can be encrypted for the use of the RP only. If you utilize all the protective measures in SAML, I don't see how using PKI between the Client and the RP is any different from PKI between Client and IDP, and then using that same PKI tech to provide a provable reference back to that authentication. Unless, of course, you just don't trust IDPs, but that's a different story (or is it)? I guess my point is that if you believe that PKI is valid and practically unassailable, then you should also believe that about PKI-based signing and delivery of credential materials. I know you don't like analogies, but to me, it's like saying you believe in gravity, but only when you are standing on the ground, but not out in space. ET -- ____________________________________________________ Eric Tiffany | eric@projectliberty.org Interop Tech Lead | +1 413-458-3743 Liberty Alliance | +1 413-627-1778 mobile
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]