OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Minutes: SSTC Conference Call (September 22nd, 2009)


Abendroth, Joerg (NSN - DE/Munich) wrote on 2009-10-12:
> Hi Scott,
> 
> I like seeing that you add in your email:
> "And IMHO, it's a lot of extra work at an SP (which now becomes an IdP)
> without any obvious benefit, but it isn't anything you couldn't do now
> if you wanted."
> 
> I share your opinion, that it would be a lot of extra work at the SP and
> that is the very reason why we like to add the Name ID and Attribute
> Management Requests.

Unless I'm wrong, what you want to do (speaking of the identifier thing) is
not possible to do securely without "extra work at an SP".

What I was saying is that what you're proposing is already possible within
the bounds of the standard because you're asking that every SP turn around
and function as an IdP. I know that's not what you wanted, but I think
that's what your use case turns into.

Putting it another way, you want to securely communicate an identifier for
"the current user" from one site to another (in your case the SP to the
IdP). But those are just roles/labels. The act of doing that is itself SSO.
So by definition, the SP becomes an IdP and vice versa; why would we define
a new protocol for that?

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]