OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services-comment] Re: http://saml.xml.org/news/holder-of-key-web-browser-sso-profile

> No, and in fact you've raised a most important point (which apparently
> we need to explain better in the profile document).  The
> proof-of-possession step and the authentication step are totally
> separate.  In HoK Web Browser SSO, proof-of-possession is via TLS and
> authentication is by some other means, typically username/password via
> a web login form.

I assume you mean "can be by other means". There's certainly no requirement
that it be done that way. The point is that you don't have to rely on the
certificate for authentication, not that you can't do so.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]