OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Using SAML Artifacts in the WSS SAML Token Profile

Greg Whitehead wrote on 7/7/2005, 11:55 AM:

 > There are lots of possibilities, so we need to keep the motivating use
 > case in mind. If it's just privacy (in the third party use case), we
 > already have a mechanism to encrypt the returned assertion. I think
 > efficiency is the main motivator: the WSP to IdP channel may be higher
 > bandwidth and provide channel security that eliminates the need to sign
 > or encrypt the assertion.

The big motification for the likes of me is, of couse, efficiency, since
a) less bits need to be relayed through the third party and b) the
assertion won't necessarily have to be signed.

However, I think there's also a security side to this along the lines
of "need to know."   The third party who transmits the token does not
need to know anything about the token (even it's size in bytes) nor
should they be allowed some possible means of offline attack on the
token -- yeah, good encryption can make this type of attack less than
useful, but we have some stringent rules about including PII in
tokens tramitted through third parties, regardless of the available
encryptions, because of the possiblity of offline attack.

With the artifiact model, we get around this since the PII goes
directly from the issuer to the recipient rather than through
a third party.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]