OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Proposal for assertion-level subjects

On Feb 26, 2004, at 10:11 AM, Scott Cantor wrote:

>> Are you concerned about repeating the confirmation process or its
>> representation in the assertion. Avoiding both would be desirable. The
>> former seems more significant to me.
> Both. The common case (today) is bearer, and as such is just wasted 
> space,
> so that is a bigger factor.
> If in future HOK or equivalent became common, then the space savings 
> would
> pale next to the runtime cost, and people would be forced to do 
> bizarre DOM
> equivalence testing to try and avoid repeating the verification.

Right. This is exactly our problem today with the HOK assertions used 
as ID-WSF security tokens. It's worse than this, actually, as I doubt 
that the spec allows a conforming implementation to skip confirmation 
just because it *thinks* it has done the equivalent processing already 
-- at the very least, I'm sure I could make some money as an expert 
witness poking holes in any product that takes this approach. ;-)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]