[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] comments re draft-sstc-metadata-iop-03
On Mon, Feb 16, 2009 at 12:59 PM, Scott Cantor <cantor.2@osu.edu> wrote: > Tom Scavo wrote on 2009-02-16: >> Today that's true, since the SAML token is bound to a gateway-issued >> proxy certificate. But the goal is to bind the SAML token to a >> short-lived end-entity certificate (EEC) obtained just-in-time. In >> this scenario it is not possible to bind full certificates to metadata >> since the EEC is not static. > > Is the EEC about the user or about the gateway? The EEC is authentication token for the gateway, yes. > If the latter, I don't > really follow the point of churning the certificates, but I'll take your > word for it. If the former, then you have a use case for which metadata was > explicitly NOT defined. Metadata was only about system entities, not end > users. The case where the SAML token is bound to the EEC is not as well understood as the case where the SAML token is bound to a proxy certificate, so I hesitate to answer your questions. We're deploying the EEC use case now (in a testbed), so I think I'll put this part of the discussion on hold until we've had a chance to explore this further. Thanks for your interest, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]