RE: W-15: RE: [security-services] Second use case for thedelegation/tiered model

[Scott Cantor <cantor.2@osu.edu>]

> My question is whether there is any change needed to the web browser
> profiles? Or is it the case that the additional step (from intermediate to
> back-end service provider) is simply layered on top of the browser to
> intermediate step? 

I left that undefined, but I believe it's a hard question to answer until we
develop a working model of what the 2.0 profiles will be, and in turn that
has to be done with an eye on this kind of use case. Based strictly on 1.x,
there are fairly few reasons why a SSO assertion couldn't be made
forwardable (mainly the lack of a signature). I don't believe short lived
assertions add any protection to those profiles, and they cause problems
when discussing sessions. There are obviously still privacy and delegation
issues to look at.

With pair-wise identifiers and some of the other ID-FF differences, there
are many more privacy implications and also differences that make the
assertions less forwardable (use of Audience in the POST profile, for
example). OTOH, ID-FF mandates the signing of the SSO assertion, making it
more forwardable than SAML.

-- Scott