OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] BPP vs BAP for SAML 1.1

One doesn't have to use mutual SSL authn when using BAP.  Some of our
customers use HTTP BASIC Auth over server-side SSL.

Ummm... sure - you want to probably sign assertions if you're fwd'ing.
However, in BPP, it's the responses being signed and also, the web SSO
assertion isn't one you should be forwarding anyway.

Rob Philpott
Senior Consulting Engineer 
RSA Security Inc. 
Tel: 781-515-7115 
Mobile: 617-510-0893 
Fax: 781-515-7020 

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Wednesday, March 24, 2004 1:40 PM
> To: Philpott, Robert; jmoreh@sigaba.com; 'John Hughes'; 'Security-
> Services'
> Subject: RE: [security-services] BPP vs BAP for SAML 1.1
> The other thing to keep in mind here is that as customers increase their
> desire to use assertions as forwardable or exchangeable credentials for
> other services, they all (usually) have to be signed.
> Liberty also found that client side SSL support on some platforms was
> harder
> than doing DSIG, and that's why they always sign assertions, even with the
> artifact profile.
> I personally think the biggest drawback to POST is the privacy leakage if
> the assertions contain personal data. It's not a huge problem in most
> cases,
> but it's the one thing to really be aware of from a security/privacy
> standpoint.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]