OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAMLResponse validation

> Can anybody clarify on this?

Trust in SAML is out of scope of the original standard.

The only interoperable specification on this is the Metadata IOP spec that is, while ostensibly about metadata, really just saying that keys are exchanged and the certificate content outside of the key is absolutely disallowed from consideration.

If you want to do something else, you are pretending to be interoperable, doing a lot of hand-waving, and accomplishing essentially nothing. At minimum you'd need a spec, and there isn't one.

To understand why, consider that if you tried to evaluate a certificate in some indirect fashion, you would need a name binding, a way to constrain the subject of the certificate as it pertains to the SAML peer. While there are some obvious ways of doing that, none of them are written down. Thus, no spec.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]