[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Drafts for review: Kerberos & SAML profiles
On 19 Aug 2009, at 02:06, Scott Cantor wrote: > Josh Howlett wrote on 2009-08-18: >> I think it would be useful to understand whether it is acceptable to >> use subject confirmation methods other than those that are mentioned >> in the WSS SAML TP spec. > > I think I'm coming to believe you're right, that there's no > precluding of > other types. Even if there were, I don't find the current TP to be > particularly attractive for newer applications anyway, so I think > it's moot. ... >> Interestingly, WRT the IMI spec (section 12) defines a set of >> identifier-types that are represented through an <Identity> WS- >> Addressing <EndpointReference> property. Two of these are Service >> Principal Name and User Principal name, and the semantics associated >> with those fit the Kerberos use-case. > > Sort of in reverse, yes, they tell you who you're getting an > assertion from > or sending it to, but I agree that the structure is applicable. Ok, personally I'm satisfied that a new Subject Confirmation method that uses this structure to encode a Kerberos principal name is a defensible approach for my use-cases (Web SSO & WSS). Unless I hear any advice to the contrary, I will propose a strawman for discussion shortly. best regards, josh.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]