[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] NIST prohibits use of SAML assertions atLOA 4
> more generally, rather than pick on SAML, the policy should preclude > 'browser redirect SSO systems that rely on bearer tokens' I think 800-63 intends the term "assertions" as a shorthand to mean exactly this, where of course this could use some clarification. In NIST's defense, I think the SAML web browser profile was the only non-PKI SSO technology standard their constituents (US government agencies, pretty much) were asking them to evaluate, hence they weren't motivated to evaluate the potential of other profiles or standards. So a petition from a bunch of technology suppliers to certify SAML holder-of-key to be as-good-as-PKI for Level 4 might need to be accompanied by statements by USG-related entities that they actually want to deploy it. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]