OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] NIST prohibits use of SAML assertions atLOA 4

> more generally, rather than pick on SAML, the policy should preclude
> 'browser redirect SSO systems that rely on bearer tokens'

I think 800-63 intends the term "assertions" as a shorthand to mean 
exactly this, where of course this could use some clarification.  In 
NIST's defense, I think the SAML web browser profile was the only non-PKI 
SSO technology standard their constituents (US government agencies, pretty 
much) were asking them to evaluate, hence they weren't motivated to 
evaluate the potential of other profiles or standards.  So a petition from 
a bunch of technology suppliers to certify SAML holder-of-key to be 
as-good-as-PKI for Level 4 might need to be accompanied by statements by 
USG-related entities that they actually want to deploy it.

  - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]