RE: [imi] SAML 2 profile questions

["Scott Cantor" <cantor.2@osu.edu>]

> Understood. But this is not an (unknown) attacker, it is a fraudulent
> (known) user changing his token, which is different. These can be caught
> with auditing.

How would it be caught? For starters, I can impersonate anybody I want to be
if I know the appropriate shared identifier. In many cases, that's likely to
be significantly easy to discover (guess what my eduPersonPrincipalName is?)
 
> So its less of a risk than an unknown attacker, and in
> some situations e.g. student access to library systems, it might be too
> low a risk to worry about the extra cost of signing. Thus it should be
> the choice of the RP whether signing is needed or not. After all, it is
> the RP that faces the risk.

There are degrees of security, but I cannot support this. If somebody wants
to create an unsigned profile, that's out of my hands, but this is a
proposal for matching the level of security in existing non-IMI profiles.

> But if user's dont have keys and their client software does not
> automatically mint and manage them for it, then you cant use holder of
> key (even if we would like to).

Selectors already have to do this to support unmanaged cards. It's a huge
missed opportunity. But what I would prefer aside, the point remains that we
don't have HoK, and without strong warnings, people will fail to understand
the difference here.

-- Scott