RE: [security-services] Groups - saml2-lecp.pdf uploaded

[Anthony Nadalin <drsecure@us.ibm.com>]

Frederick,

Instead of starting with the technology, can I get the requirement and the
scenario that drove you to submit this ? I realize that this is not "over
an existing" profile, what I wanted to say was, "Why is the LEC Profile
needed" which goes back to the requirement and scenarios.

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122


|---------+---------------------------->
|         |           <Frederick.Hirsch|
|         |           @nokia.com>      |
|         |                            |
|         |           10/10/2003 01:48 |
|         |           PM               |
|---------+---------------------------->
  >----------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                              |
  |       To:       Anthony Nadalin/Austin/IBM@IBMUS, <security-services@lists.oasis-open.org>                                                   |
  |       cc:                                                                                                                                    |
  |       Subject:  RE: [security-services] Groups - saml2-lecp.pdf uploaded                                                                     |
  >----------------------------------------------------------------------------------------------------------------------------------------------|




Tony

Thanks for your questions.

1) Do we read your "benefits" as the motivation for
> including this profile

The purpose of the benefits in the introductory slides was not motivation
for including the profile but rather intended as educational material about
the profile. The motivation for including the profile is to include
relevant technology that meets customer needs - I apologize, I thought that
was obvious.

> (2) Since this proposal requires specifically enabled
> clients, does it make
> sense over the existing SAML 1.1 profiles ?

This is not "over existing profiles" but rather an additional profile to be
added to the suite of profiles building on the core SAML technology and
included as part of SAML.

> (3) This seems to add a control point which may not be
> acceptable in most
> deployments, are you proposing this as a optional profile ?

Yes it is an optional profile for those who need it. I'm not sure I
understand the control point concern.

> (4) This requires SSL/TLS (asymmetric key-establishment
> phase) and there
> are cases where one may want to use symmetric-key-only
> solution which can
> be computationally faster, doesn't it make sense to develop a
> protocol that
> can handle both ?

This sounds like a topic for additional discussion.

> (5) This seems to require an additional roundtrip to the
> identity provider
> before the interaction can continue, which seems to add to
> flows and become
> bogged down by network latency, don't this pose a similar performance
> problems as the redirects ?

It is not an additional trip (for a pull model) since it includes two
(virtual) roundtrips:

1. service request and response
2. authentication request and response

Does this make sense? Thanks for looking at this.

regards, Frederick

Frederick Hirsch
Nokia Mobile Phones



> -----Original Message-----
> From: ext Anthony Nadalin [mailto:drsecure@us.ibm.com]
> Sent: Thursday, October 09, 2003 8:01 PM
> To: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Groups - saml2-lecp.pdf uploaded
>
>
>
>
>
>
> Frederick,
>
> Thanks for posting, I have a few questions.
>
> (1) Do we read your "benefits" as the motivation for
> including this profile
> ?
> (2) Since this proposal requires specifically enabled
> clients, does it make
> sense over the existing SAML 1.1 profiles ?
> (3) This seems to add a control point which may not be
> acceptable in most
> deployments, are you proposing this as a optional profile ?
> (4) This requires SSL/TLS (asymmetric key-establishment
> phase) and there
> are cases where one may want to use symmetric-key-only
> solution which can
> be computationally faster, doesn't it make sense to develop a
> protocol that
> can handle both ?
> (5) This seems to require an additional roundtrip to the
> identity provider
> before the interaction can continue, which seems to add to
> flows and become
> bogged down by network latency, don't this pose a similar performance
> problems as the redirects ?
>
> Anthony Nadalin | work 512.436.9568 | cell 512.289.4122
>