OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Drafts for review: Kerberos & SAML profiles



On 19 Aug 2009, at 02:06, Scott Cantor wrote:

> Josh Howlett wrote on 2009-08-18:
>> I think it would be useful to understand whether it is acceptable to
>> use subject confirmation methods other than those that are mentioned
>> in the  WSS SAML TP spec.
>
> I think I'm coming to believe you're right, that there's no  
> precluding of
> other types. Even if there were, I don't find the current TP to be
> particularly attractive for newer applications anyway, so I think  
> it's moot.

...

>> Interestingly, WRT the IMI spec (section 12) defines a set of
>> identifier-types that are represented through an <Identity> WS-
>> Addressing <EndpointReference> property. Two of these are Service
>> Principal Name and User Principal name, and the semantics associated
>> with those fit the Kerberos use-case.
>
> Sort of in reverse, yes, they tell you who you're getting an  
> assertion from
> or sending it to, but I agree that the structure is applicable.

Ok, personally I'm satisfied that a new Subject Confirmation method  
that uses this structure to encode a Kerberos principal name is a  
defensible approach for my use-cases (Web SSO & WSS). Unless I hear  
any advice to the contrary, I will propose a strawman for discussion  
shortly.

best regards, josh.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]