[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups - saml2-lecp.pdf uploaded
Frederick, Instead of starting with the technology, can I get the requirement and the scenario that drove you to submit this ? I realize that this is not "over an existing" profile, what I wanted to say was, "Why is the LEC Profile needed" which goes back to the requirement and scenarios. Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 |---------+----------------------------> | | <Frederick.Hirsch| | | @nokia.com> | | | | | | 10/10/2003 01:48 | | | PM | |---------+----------------------------> >----------------------------------------------------------------------------------------------------------------------------------------------| | | | To: Anthony Nadalin/Austin/IBM@IBMUS, <security-services@lists.oasis-open.org> | | cc: | | Subject: RE: [security-services] Groups - saml2-lecp.pdf uploaded | >----------------------------------------------------------------------------------------------------------------------------------------------| Tony Thanks for your questions. 1) Do we read your "benefits" as the motivation for > including this profile The purpose of the benefits in the introductory slides was not motivation for including the profile but rather intended as educational material about the profile. The motivation for including the profile is to include relevant technology that meets customer needs - I apologize, I thought that was obvious. > (2) Since this proposal requires specifically enabled > clients, does it make > sense over the existing SAML 1.1 profiles ? This is not "over existing profiles" but rather an additional profile to be added to the suite of profiles building on the core SAML technology and included as part of SAML. > (3) This seems to add a control point which may not be > acceptable in most > deployments, are you proposing this as a optional profile ? Yes it is an optional profile for those who need it. I'm not sure I understand the control point concern. > (4) This requires SSL/TLS (asymmetric key-establishment > phase) and there > are cases where one may want to use symmetric-key-only > solution which can > be computationally faster, doesn't it make sense to develop a > protocol that > can handle both ? This sounds like a topic for additional discussion. > (5) This seems to require an additional roundtrip to the > identity provider > before the interaction can continue, which seems to add to > flows and become > bogged down by network latency, don't this pose a similar performance > problems as the redirects ? It is not an additional trip (for a pull model) since it includes two (virtual) roundtrips: 1. service request and response 2. authentication request and response Does this make sense? Thanks for looking at this. regards, Frederick Frederick Hirsch Nokia Mobile Phones > -----Original Message----- > From: ext Anthony Nadalin [mailto:drsecure@us.ibm.com] > Sent: Thursday, October 09, 2003 8:01 PM > To: security-services@lists.oasis-open.org > Subject: Re: [security-services] Groups - saml2-lecp.pdf uploaded > > > > > > > Frederick, > > Thanks for posting, I have a few questions. > > (1) Do we read your "benefits" as the motivation for > including this profile > ? > (2) Since this proposal requires specifically enabled > clients, does it make > sense over the existing SAML 1.1 profiles ? > (3) This seems to add a control point which may not be > acceptable in most > deployments, are you proposing this as a optional profile ? > (4) This requires SSL/TLS (asymmetric key-establishment > phase) and there > are cases where one may want to use symmetric-key-only > solution which can > be computationally faster, doesn't it make sense to develop a > protocol that > can handle both ? > (5) This seems to require an additional roundtrip to the > identity provider > before the interaction can continue, which seems to add to > flows and become > bogged down by network latency, don't this pose a similar performance > problems as the redirects ? > > Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]