OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Shib & SAML presentation


Anders,

>the differences in Artifact formats depend not only on "history", but
>to a major extent on the rather different flows of information in
>SAML's PULL scheme versus Shib's contact-destination-first-scenario.

No.  In both cases, an assertion is pulled. Shibb's first
contact steps effectively are "pre-steps" to pushing an
"artifact" aka "handle package."   There isn't a flow
difference from there.

>A thing I am not so excited about in Shib, are the signed handle URLs.
>That only the signatures but not the certificate(s) are carried in
assertions.
>is at least not an option in the many-to-many B2B-market we are

The handle package contains a handle which is then
used to pull an assertion.  The assertion may have
certificate carried along with it.
   There needs to be out-of-band info about the handle
server at the destination anyway.  This OOB info would
contain the certificate info.

A general comment: You seem to have some confusion
between handle packages and assertions.    You might
wish to re-read the arch doc and/or the bindings doc.
On the other hand, we are thinking
hard about abandoning the handle package and using your
POST suggestion, so it might be moot.

>Regarding attribute release, I have some problems understanding
>the Shib model. Does the destination (using SAML-terminology)
>indicate what attributes it wants the source to release? At least
>that seems like the most straight-forward way to do things.

No, it doesn't.  It asks for all authZ attributes.  It gets only
those that have been designated as releasable to it.
   This topic was the subject of much debate within Shibb.
I argued (apparently persuasively at the time) that if
a destination asked for specific attributes there was an "implied
promised" that release of those attributes (e.g "name")
would result in access.  This seems to me to be a way
to fool the user into releasing information.

Regards,
Marlena





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC