[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposal for assertion-level subjects
On Feb 26, 2004, at 10:11 AM, Scott Cantor wrote: >> Are you concerned about repeating the confirmation process or its >> representation in the assertion. Avoiding both would be desirable. The >> former seems more significant to me. > > Both. The common case (today) is bearer, and as such is just wasted > space, > so that is a bigger factor. > > If in future HOK or equivalent became common, then the space savings > would > pale next to the runtime cost, and people would be forced to do > bizarre DOM > equivalence testing to try and avoid repeating the verification. Right. This is exactly our problem today with the HOK assertions used as ID-WSF security tokens. It's worse than this, actually, as I doubt that the spec allows a conforming implementation to skip confirmation just because it *thinks* it has done the equivalent processing already -- at the very least, I'm sure I could make some money as an expert witness poking holes in any product that takes this approach. ;-) -Greg
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]