RE: [saml-dev] Proposed SAML defaults for interoperability event

[Irving Reid <Irving.Reid@baltimore.com>]

> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> 
> Not signing Assertions is fine with us and removes major
> complications. We proposed it only because we thought people
> would expect assertions to be signed and that use of XML
> dsig would be expected.

> What do others think?

For the browser artifact profile, we would prefer not to use signatures.
Since the assertion transfer is already secure and mutually authenticated,
signatures are overhead.

> As far as the SOAP binding goes, we would prefer mutual
> authentication (client certificates) It is more secure and
> actually easier to implement. (no need to manage passwords,
> do basic auth header, etc.) Since we propose to exchange
> trust roots anyway, you can use the same key/certificate for
> both client and server ends.

> Hal

We prefer mutual auth with client certificates. We don't require a shared
trust root for the certificates.

 - irving -


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The 
unauthorised use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being 
passed on.
 
This footnote confirms that this email message has been swept for Content Security threats, including
computer viruses.

http://www.baltimore.com

 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.