RE: [saml-dev] RE: How to provide SAML assertions in RESTful services

["Scott Cantor" <cantor.2@osu.edu>]

> I think you are being overly pessimistic. The scope of what I am doing
> right now is defining the interoperability mechanisms. The operational
> choices are above and beyond what we define in the interop profile.
> Specifically with SOAP and WS-Security the capabilities of WS-Security
> are available to be used.

I don't see how, apart from perhaps some encryption or signing to duplicate
what the TLS layer is doing. What you described is a case in which there is
no security from the WS-Security layer, only data about the user identity.
The security model is of trusted endpoints communicating over a secure
channel and asserting without proof who they are acting on behalf of. That
doesn't involve any WSS features.

This is not a criticism, it's a description. If that's the use case, then
that's the use case. There's nothing wrong with that.

> I would hope that this is a
> useful profiling. These choices are primarily due to the sensitive
> nature of healthcare, and the extremely distributed organizational
> arrangements.

That's fine. But it is not something that seems to demand WS-Security to any
obvious extent, and I don't really see where OAuth fits either. Mainly
because you're avoiding the requirement to involve the *user* in the
security flow between the federated systems. That's a greatly simplifying
assumption, and it's not really that uncommon either.

> Does this give you more room to express security concerns?

I really have no concerns. I think your security here is very traditional,
and very easy to understand.

What I was saying was that your use case is not one that lends itself to
some kind of comparison of SOAP vs REST security, because neither is
involved. It's TLS.

-- Scott