OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] signing and encryption requirements in metadata

> IDPSSODescriptor/@WantAuthnRequestsSigned
> SPSSODescriptor/@AuthnRequestsSigned
> SPSSODescriptor/@WantAssertionsSigned

Note that signing is an "atomic" operation that is all or nothing
(encryption is not) and that AuthnRequests during SSO are relayed by
browsers, so using signatures has relevance as the only viable authn

> Along these lines, the following might be useful:
> IDPSSODescriptor/@WantQueriesSigned
> AttributeAuthorityDescriptor/@WantQueriesSigned
> PDPDescriptor/@WantQueriesSigned
> Is there some reason these were omitted, or is it simply a matter of
> supporting the most commonly used profile (i.e., SSO)?

That's part of it, but queries are sent directly, so signing there is just
one of many authentication mechanisms. Not even a particularly common one.

> Also, wouldn't it be useful if encryption requirements could be called
> out at the SP?

Encryption isn't quite that simple, though. Its granularity can vary.

> Was this ever discussed as the metadata spec was being developed?

The need to avoid a slippery slope came up a lot when even the few flags
that exist were noticed.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]