[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Trust in artifact resolution
Josh Howlett wrote on 2010-02-11: >> Yes, but it wouldn't prove that you got either one from somebody you >> trusted and not some arbitrary interloper. > > Sure, but we can authenticate the binding used to obtain the artifact > to obtain that assurance. How? The artifact is passed through the client, so there's no way for the message's intended recipient to authenticate it from the message/artifact issuer. > I originally thought there was a violation because I got badly > confused. Where is the violation now? The callback does not require > authentication...? The profile says the SAML responder MUST authenticate itself to the SAML requester, doesn't it? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]