[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Minutes: SSTC Conference Call (September 22nd, 2009)
Abendroth, Joerg (NSN - DE/Munich) wrote on 2009-10-12: > Hi Scott, > > I like seeing that you add in your email: > "And IMHO, it's a lot of extra work at an SP (which now becomes an IdP) > without any obvious benefit, but it isn't anything you couldn't do now > if you wanted." > > I share your opinion, that it would be a lot of extra work at the SP and > that is the very reason why we like to add the Name ID and Attribute > Management Requests. Unless I'm wrong, what you want to do (speaking of the identifier thing) is not possible to do securely without "extra work at an SP". What I was saying is that what you're proposing is already possible within the bounds of the standard because you're asking that every SP turn around and function as an IdP. I know that's not what you wanted, but I think that's what your use case turns into. Putting it another way, you want to securely communicate an identifier for "the current user" from one site to another (in your case the SP to the IdP). But those are just roles/labels. The act of doing that is itself SSO. So by definition, the SP becomes an IdP and vice versa; why would we define a new protocol for that? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]