OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups-draft-sstc-solution-profile-soap-02.pdf uploaded

>1) Use WSS to secure the AuthnRequest from Requestor to SAML Authority via:
>       a) Security Token Reference to identify the Subject: 
>                i)  SubjectConfirmation/KeyInfo/wsse:SecurityTokenReference

>                ii) Subject/wsse:SecurityTokenReference 

In case ii) I think (but could be wrong) that a subject represented only by
a security token was intended to be expressed as only SubjectConfirmation.
Is it useful to have a confirmation method perhaps that says the
confirmation data will be a STR?

>        b) Security Token Reference to identify the Target 

I note current specs only identify Target in a vague way via Audience. I
personally like the simplicity. Of course encryption also provides some
degree of targeting.

>        e) Encryption to provide confidentiality 

Confidentiality of...?

Would like to in general see us first settle on the basic use
cases/semantics we want to support in the AuthnRequest protocol (or
protocols) and what message bits are needed. Then a separate discussion
could be had on where WSS STR's fit or don't fit in the current schema as a
means of expressing some of those pieces. Just a thought.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]