[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] SAML 2 profile questions
John Bradley wrote on 2009-10-14: > Holder of key is supported in the spec for the selector. Only for non-browser, at least based on my interpretation of what is admittedly a muddled area. > Supporting HoK or something equivalent with non auditing cards may > require a Zero Knowledge token. HoK or bearer have the same issues there, it's just about what you're mitigating against. It's not attempting (yet) to address OOB correlation by the parties to find out where you went. > I think we need to continue supporting auditing and non-auditing cards. > > I have never seen auditing optional actually used, but it might be if > the RP had a way to express it without a RP/STS. That's fine, but using that with bearer is just plain dangerous, and people need to know that. > If a user could tell in the selector if a card is auditing or not it > would make the feature more useful. I didn't realize you couldn't, but I suppose that's implementation specific. Nothing stops one from doing so, it knows what it's sending in the RST. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]