security-services message

Subject: RE: [security-services] NIST prohibits use of SAML assertions at LOA 4

From: "Cahill, Conor P" <conor.p.cahill@intel.com>
To: <cantor.2@osu.edu>,"Eric Tiffany" <eric@projectliberty.org>,"Staggs, David (SAIC)" <David.Staggs@va.gov>,"OASIS SSTC" <security-services@lists.oasis-open.org>
Date: Fri, 27 Jun 2008 14:13:04 -0700


> Well, it's interpreted in light of the fact that browsers cannot
perform
> proof operations with SAML assertions. What they want is not PKI in
> general, but PKI between the relying party and the client. More than a
> bearer token, in other words. There's plenty to be said for that
argument.

Yeah, but then they should be saying that they don't allow the browser
SSO
profile rather than disallowing the assertions. 

Conor

Follow-Ups:
- Re: [security-services] NIST prohibits use of SAML assertions atLOA 4
  - From: Paul Madsen <paulmadsen@rogers.com>
- Re: [security-services] NIST prohibits use of SAML assertions atLOA 4
  - From: =JeffH <Jeff.Hodges@neustar.biz>

References:
- NIST prohibits use of SAML assertions at LOA 4
  - From: "Staggs, David (SAIC)" <David.Staggs@va.gov>
- Re: [security-services] NIST prohibits use of SAML assertions at LOA4
  - From: Eric Tiffany <eric@projectliberty.org>
- RE: [security-services] NIST prohibits use of SAML assertions at LOA 4
  - From: "Scott Cantor" <cantor.2@osu.edu>