[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-05
On Wed, Aug 6, 2008 at 11:10 PM, Nate Klingenstein <ndk@internet2.edu> wrote: > >> - In lines 377--379, I'm concerned that the assertion "MAY be signed >> if the HTTP Artifact binding is used," especially in light of the note >> on lines 389--390. I believe a HoK assertion MUST be signed, >> regardless of how it is obtained. > > Why do you believe this? To enable secure forwarding or re-use of > assertions, or ensure better auditing and repudiation? I'd like to leave > Artifact using TLS/SSL authentication as a viable option to allow for use of > this profile under heavy loads without serious hardware if the deployer > doesn't need to recycle or pass along the assertions. Yes, I think you and Scott are right about this, I need to remove this requirement from the "HoK Subject Confirmation Profile" and leave this to higher-level profiles. >> - ... Hijacking the Binding attribute like this is >> a bit of a kludge. Why not define new endpoints just for this >> purpose? Yes, I know you say (on line 494) that you'd rather not do >> that, but why not? That seems like the proper approach to me. > > See your response to yourself. :D This seems like the least ugly approach, > and yes, they're all awful. Well, an alternate approach would be to define a new RoleDescriptorType: <complexType name="HoKIDPSSODescriptorType"> <complexContent> <extension base="md:IDPSSODescriptorType"/> </complexContent> </complexType> I think it's cleaner to do it this way. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]