security-services message

Subject: RE: [security-services] Adding channel bindings to signed SAML Requests

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Josh Howlett'" <josh.howlett@gmail.com>
Date: Tue, 7 Sep 2010 16:29:54 -0400

> > Am I missing something, or is this reasonable?
> 
> FWIW it sounds reasonable to me. I'd been having similar thoughts
> myself... whether one could attach a <SubjectConfirmation> to the
> protocol message, with a newly defined SC method whose
> <SubjectConfirmationData> provides the CB data as you've described.

It wouldn't work at the protocol level, because SC is an assertion-specific
concept, but even though extensions are optional, they can still be required
by deployments, or servers can change their behavior based on them.
 
> It's not a great fit, as SAML Subject Confirmation is explicitly
> scoped to "the correspondence of the subject of the assertion", but
> there might be some value in this re-use.

I think SC confuses people enough without overloading its meaning.

-- Scott

Follow-Ups:
- RE: [security-services] Adding channel bindings to signed SAMLRequests
  - From: Thomas Hardjono <hardjono@MIT.EDU>

References:
- Adding channel bindings to signed SAML Requests
  - From: "Scott Cantor" <cantor.2@osu.edu>
- Re: [security-services] Adding channel bindings to signed SAML Requests
  - From: Josh Howlett <josh.howlett@gmail.com>