Re: [security-services] comments re draft-sstc-metadata-iop-03

[Tom Scavo <trscavo@gmail.com>]

On Mon, Feb 16, 2009 at 12:59 PM, Scott Cantor <cantor.2@osu.edu> wrote:
> Tom Scavo wrote on 2009-02-16:
>> Today that's true, since the SAML token is bound to a gateway-issued
>> proxy certificate.  But the goal is to bind the SAML token to a
>> short-lived end-entity certificate (EEC) obtained just-in-time.  In
>> this scenario it is not possible to bind full certificates to metadata
>> since the EEC is not static.
>
> Is the EEC about the user or about the gateway?

The EEC is authentication token for the gateway, yes.

> If the latter, I don't
> really follow the point of churning the certificates, but I'll take your
> word for it. If the former, then you have a use case for which metadata was
> explicitly NOT defined. Metadata was only about system entities, not end
> users.

The case where the SAML token is bound to the EEC is not as well
understood as the case where the SAML token is bound to a proxy
certificate, so I hesitate to answer your questions.  We're deploying
the EEC use case now (in a testbed), so I think I'll put this part of
the discussion on hold until we've had a chance to explore this
further.

Thanks for your interest,
Tom