RE: [imi] SAML 2 profile questions

["Scott Cantor" <cantor.2@osu.edu>]

John Bradley wrote on 2009-10-14:
> Holder of key is supported in the spec for the selector.

Only for non-browser, at least based on my interpretation of what is
admittedly a muddled area.

> Supporting  HoK or something equivalent with non auditing cards may
> require a Zero Knowledge token.

HoK or bearer have the same issues there, it's just about what you're
mitigating against. It's not attempting (yet) to address OOB correlation by
the parties to find out where you went.

> I think we need to continue supporting auditing and non-auditing cards.
> 
> I have never seen auditing optional actually used,  but it might be if
> the RP had a way to express it without a RP/STS.

That's fine, but using that with bearer is just plain dangerous, and people
need to know that.

> If a user could tell in the selector if a card is auditing or not it
> would make the feature more useful.

I didn't realize you couldn't, but I suppose that's implementation specific.
Nothing stops one from doing so, it knows what it's sending in the RST.

-- Scott