[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services
> I think you are being overly pessimistic. The scope of what I am doing > right now is defining the interoperability mechanisms. The operational > choices are above and beyond what we define in the interop profile. > Specifically with SOAP and WS-Security the capabilities of WS-Security > are available to be used. I don't see how, apart from perhaps some encryption or signing to duplicate what the TLS layer is doing. What you described is a case in which there is no security from the WS-Security layer, only data about the user identity. The security model is of trusted endpoints communicating over a secure channel and asserting without proof who they are acting on behalf of. That doesn't involve any WSS features. This is not a criticism, it's a description. If that's the use case, then that's the use case. There's nothing wrong with that. > I would hope that this is a > useful profiling. These choices are primarily due to the sensitive > nature of healthcare, and the extremely distributed organizational > arrangements. That's fine. But it is not something that seems to demand WS-Security to any obvious extent, and I don't really see where OAuth fits either. Mainly because you're avoiding the requirement to involve the *user* in the security flow between the federated systems. That's a greatly simplifying assumption, and it's not really that uncommon either. > Does this give you more room to express security concerns? I really have no concerns. I think your security here is very traditional, and very easy to understand. What I was saying was that your use case is not one that lends itself to some kind of comparison of SOAP vs REST security, because neither is involved. It's TLS. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]