OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] DDDS RFCs,Liberty and SAML Metadata exchange protocol

> Is DNSSEC relevant to this work? 
> Is there an issue with DNS security and site spoofing?
> Does the DDDS/NAPTR material address such concerns?

There are places in the Liberty spec that mention DNSSEC and have some
SHOULDs around using it and validating the metadata location with it and
such. I'm much less clear on the ins and outs of it, as opposed to the use
of XML signatures on the metadata itself, which is basically mandatory.

In Shibboleth, we're distributing metadata over HTTP, because the provider
of the data is considered irrelevant; only the signature matters. And the
signer is really the root of everything at that point.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]