OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] How does an artifact issuer "authenticate" the sender of the <ArtifactResolve> message?

> Can't the requester sign the <ArtifactResolve> message?  Am I 
> missing something?

This is somewhat off-topic, but apropos for the question...I continue to
wonder how one can be confident in the sender of a message based on a
signature. That authenticates the message, but not the sender, and it seems
like in this case moreso than many others in SAML, you *really* care about
the sender quite a lot.

You could "trust" that the client is doing TLS server-auth to prevent a
MitM, but that seems like a strange thing to do from the server end to
protect the dereferencing of the artifact.

Maybe I'm just being picky, but it's always bugged me.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]