[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: comments re draft-sstc-metadata-iop-02
On Wed, Oct 22, 2008 at 9:25 PM, Scott Cantor <cantor.2@osu.edu> wrote: > Tom Scavo wrote: >> >> In fact, this >> alternate use of SAML metadata is the reason I referred to the >> Metadata Interoperability Profile as a "deployment profile" as opposed >> to some universally applicable profile. > > Leaving aside whether this distinction even matters, no profile is > universal. How many people are going to use a certificate-based profile for > SSO any time soon? That doesn't make it a community-specific profile, just a > relatively less adopted one. Are you referring to Holder-of-Key Web Browser SSO? That profile is clearly and correctly characterized as an adjunct to Web Browser SSO, so there is no mistaking its scope and intent. The Metadata Interoperability Profile (IOP) is not so easily categorized, however. The IOP does not characterize itself as being applicable to a particular use case or community, so by default it must be applicable to everyone. Therein lies my objection. > The issue to me is whether a profile imposes constraints or assumptions that > would make it unrealistic to adopt across a broad range of communities. My > goal here is not to convince those communities to do so, however misguided I > may think they are. I'm just interested in giving the TC member companies a > better opportunity to provide products that meet the needs of a number of > communities they aren't serving very well right now. I think that's a laudable goal, and I support it. However, I claim that the profile as written does not identify the communities to which it applies. I would rather not leave that interpretation as an exercise to the reader. What I'm trying to avoid is the following thought pattern on the part of the reader: "Community A makes use of SAML metadata but that usage does not conform to IOP so Community A metadata is not an interoperable use of SAML metadata." AFAICT, the IOP appears to be a profile designed to accompany SAML Web Browser SSO. Certainly that is the historical basis for its existence. So why not characterize it as such? Is what you've written a SAML V2.0 Metadata Interoperability Profile for Web Browser SSO? Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]