[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] comments re draft-sstc-metadata-iop-03
On Thu, Feb 12, 2009 at 9:11 PM, Scott Cantor <cantor.2@osu.edu> wrote: > Tom Scavo wrote on 2009-02-12: > > it sounds like it would help if there was language in the > motivating text that talks about the overlap and explains that the profile > is essentially aiming at deployments that don't have a PKI that they have > confidence in the runtime behavior of. In the previous sentence, when you use the term "PKI," do you mean "X.509-based PKI"? The lone term "PKI" is ambiguous since obviously you're trying to profile a (SAML-based) PKI. But yes, the profile assumes the existence of a SAML-based PKI or the willingness to build out a SAML-based PKI. If your deployment is based on any other type of PKI---in particular, an X.509-based PKI---then this profile is probably not for you. > Speaking to your example directly, I don't really see what the use of > metadata buys you at all. It makes sense that you would align the metadata > to the naming that is already present at the layer of the credentials that > already have to be trusted. But I think it makes more sense to just drop the > layer out, actually... As much as you'd like to assume that use case away, it's not going to happen. It is what it is. >> I'd be willing to wager that >> SAML metadata in a Kerberos environment can not be shoe-horned into >> the Metadata Interoperability Profile. > > No, I would have to disagree. On the contrary, it would be *because* of that > profile that one could simplify the use of Kerberos by leveraging the trust > mechanisms the metadata can supply. If one were to go back to the use of > X.509, well, Kerberos already supports that, I believe. Specifically, I was referring to the SAML-in-Kerberos proposal, which is analogous to the SAML-in-X509 use within TeraGrid. Again, I'd be *very* surprised if the "standard" SAML metadata profile were relevant in that case. >> So I think the onus is on you to show that the scope of the Metadata >> Interoperability Profile transcends Web Browser SSO. > > I could say that I think I just did, but I don't really believe your premise > is valid. There's nothing in SAML metadata as a framework that is specific > to the SSO profile, and this profile doesn't even mention it (I don't > think). Okay, I'll concede that point. I'm still searching for a proper characterization of scope for this profile. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]