[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] comments: sstc-saml-holder-of-key-browser-sso-draft-01
Let me follow up here since this same confusion was evident in the Liberty world when I first proposed the SSOS work there. What you're talking about, I think, is a synchronous request/response profile for sending an AuthnRequest and returning an assertion. You state that it's HoK, but in fact I think you'll agree that the conf method is immaterial. What matters is that the requester's authentication to the IdP justifies the method returned (which is in fact what core says). I fully support this use case, which is why I proposed it in Liberty. I happen to believe that using HTTP for it is silly, however, because it's such a constrained protocol when it comes to authentication. I think SOAP makes more sense since it allows for flexible message-based security. What I didn't manage to do was to merge the SOAP part of ECP with this idea because the assumptions just didn't hold. I could have added all kinds of conditional language, but that just muddies the result. Instead, I left ECP alone and just defined an explicit profile for using SOAP, the AuthnRequest protocol, and the ID-WSF binding and security work to make up the exchange. Now, should there be a SAML-only SSOS? It's been raised several times, and nobody has come up with a argument that I think makes any sense. People refuse to use ID-WSF and then expect the SSTC to just reinvent it by defining our own SOAP security spec here, and I just don't see that happening. So, *if* one starts with SOAP as the assumption, my claim is that if all you want is TLS and HoK, you can do that with the existing Liberty SSOS, add a couple ID-WSF headers that hurt nobody, and you're done. No new profile needed. Now, if you throw out SOAP, then yes, I agree, you would need a new profile, mainly just a copy of the Liberty SSOS that takes out ID-WSF, uses a new HTTP binding, and relies on HTTP-compatible authentication or message signing for the security. I'll even help somebody write it if they need help. I simply don't think that is this document. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]