[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] BPP vs BAP for SAML 1.1
One doesn't have to use mutual SSL authn when using BAP. Some of our customers use HTTP BASIC Auth over server-side SSL. Ummm... sure - you want to probably sign assertions if you're fwd'ing. However, in BPP, it's the responses being signed and also, the web SSO assertion isn't one you should be forwarding anyway. Rob Philpott Senior Consulting Engineer RSA Security Inc. Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 mailto:rphilpott@rsasecurity.com > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Wednesday, March 24, 2004 1:40 PM > To: Philpott, Robert; jmoreh@sigaba.com; 'John Hughes'; 'Security- > Services' > Subject: RE: [security-services] BPP vs BAP for SAML 1.1 > > The other thing to keep in mind here is that as customers increase their > desire to use assertions as forwardable or exchangeable credentials for > other services, they all (usually) have to be signed. > > Liberty also found that client side SSL support on some platforms was > harder > than doing DSIG, and that's why they always sign assertions, even with the > artifact profile. > > I personally think the biggest drawback to POST is the privacy leakage if > the assertions contain personal data. It's not a huge problem in most > cases, > but it's the one thing to really be aware of from a security/privacy > standpoint. > > -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]