[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-05
On Wed, Aug 6, 2008 at 11:10 PM, Nate Klingenstein <ndk@internet2.edu> wrote:
>
>> - In lines 377--379, I'm concerned that the assertion "MAY be signed
>> if the HTTP Artifact binding is used," especially in light of the note
>> on lines 389--390. I believe a HoK assertion MUST be signed,
>> regardless of how it is obtained.
>
> Why do you believe this? To enable secure forwarding or re-use of
> assertions, or ensure better auditing and repudiation? I'd like to leave
> Artifact using TLS/SSL authentication as a viable option to allow for use of
> this profile under heavy loads without serious hardware if the deployer
> doesn't need to recycle or pass along the assertions.
Yes, I think you and Scott are right about this, I need to remove this
requirement from the "HoK Subject Confirmation Profile" and leave this
to higher-level profiles.
>> - ... Hijacking the Binding attribute like this is
>> a bit of a kludge. Why not define new endpoints just for this
>> purpose? Yes, I know you say (on line 494) that you'd rather not do
>> that, but why not? That seems like the proper approach to me.
>
> See your response to yourself. :D This seems like the least ugly approach,
> and yes, they're all awful.
Well, an alternate approach would be to define a new RoleDescriptorType:
<complexType name="HoKIDPSSODescriptorType">
<complexContent>
<extension base="md:IDPSSODescriptorType"/>
</complexContent>
</complexType>
I think it's cleaner to do it this way.
Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]