OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] sstc-bindings-extensions-02

>my problem here is that this is something the user must do: check to verify
>that the source site is in fact the site he/she expects it to be and perhaps
>demand that the site authenticate itself to the user before presenting
>credentials to  the site (.e.g, server-side SSL). In other words, this does
>not have impact on our steps (1)-(4) but only on the relationship between
>the user and the source site. I can note this in the threat and counter
>-measure section but I am not sure I can say anything more than that, or,
>can I?

This is discussed a bit in the Shibboleth architecture document under the section on the WAYF, which is the functional component
that determines what the source site should be. Of course, the WAYF can be part of the destination site itself, as we discussed
early on.

Using SSL at the source site is one means of verifying authenticity, and obviously there could be others, though nothing else in
common use.

I think security considerations are where that discussion belongs.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]