security-services message

Subject: RE: [security-services] comments re draft-sstc-metadata-iop-03

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Tom Scavo'" <trscavo@gmail.com>
Date: Mon, 16 Feb 2009 12:59:24 -0500

Tom Scavo wrote on 2009-02-16:
> Today that's true, since the SAML token is bound to a gateway-issued
> proxy certificate.  But the goal is to bind the SAML token to a
> short-lived end-entity certificate (EEC) obtained just-in-time.  In
> this scenario it is not possible to bind full certificates to metadata
> since the EEC is not static.

Is the EEC about the user or about the gateway? If the latter, I don't
really follow the point of churning the certificates, but I'll take your
word for it. If the former, then you have a use case for which metadata was
explicitly NOT defined. Metadata was only about system entities, not end
users.

-- Scott

References:
- comments re draft-sstc-metadata-iop-03
  - From: Tom Scavo <trscavo@gmail.com>
- Re: [security-services] comments re draft-sstc-metadata-iop-03
  - From: Tom Scavo <trscavo@gmail.com>
- Re: [security-services] comments re draft-sstc-metadata-iop-03
  - From: Tom Scavo <trscavo@gmail.com>
- Re: [security-services] comments re draft-sstc-metadata-iop-03
  - From: Tom Scavo <trscavo@gmail.com>
- Re: [security-services] comments re draft-sstc-metadata-iop-03
  - From: Tom Scavo <trscavo@gmail.com>