OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP profile question

> > It seems like this example would still require the ECP to send a
> > fault response to the service provider.  No?
> I haven't looked closely at it, but if they don't match, it's wrong.

I believe it is wrong so we should probably re-open that errata item.

> > Why have the AssertionConsumerServiceURL at all?  Why not just have
> > ECP always deliver the response to the responseConsumerURL?
> The IdP is the one who knows where it's authorized to send PII about
> user to a given provider. The client typically is deferring this to
> IdP
> in order to keep it minimal (but with the usual privacy costs).
> The cross-check itself is to block a MitM attack where somebody
> the SP's response and redirects the ECP to tell it to send the
response to
> it. The IdP has the metadata and the ECP authenticates it, so it knows
> it's being told to send the response elsewhere, something's wrong.

Fair enough.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]