RE: [security-services] Groups - sstc-saml-holder-of-key-browser-sso-draft-03.odt

["Scott Cantor" <cantor.2@osu.edu>]

> That's ridiculous.

I think that's overblown. It's annoying. On a scale of 1 to 10, it's about a
3. Maybe.

> Is someone trying to tell us that none of those specs standalone?
> I guess that's the point I've been trying to make
> all along (but this forum is probably not the best place to carry on
> that conversation).

No, and *that's* ridiculous. I've heard the same criticism about SAML, so
the fact is that people see what they want to see.

> > I think it's needless duplication with fewer features.
> 
> Which some see as a positive thing, right?

I guess some people might see it that way. Having the features doesn't mean
you have to use them or even implement them. I think it's a positive if a
dumbed down version can talk to the same software as a more complete
version.

> > But if I honestly
> > thought that *anybody* could be won over just by pulling SOAP out of
there,
> > I'd have done it a long time ago.
> 
> Me ;-)

I assumed you were speaking for somebody else's prejudices.
 
> If I'm understanding you correctly, I don't agree with that.  I have
> lots of use cases for h-o-k SAML tokens, even low assurance ones
> (i.e., tokens that can be traced to username/password).

If you're talking about stuffing them inside certificates, I consider that
pretty specialized. But so be it.

-- Scott