OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-05

On Wed, Aug 6, 2008 at 11:10 PM, Nate Klingenstein <ndk@internet2.edu> wrote:
>> - In lines 377--379, I'm concerned that the assertion "MAY be signed
>> if the HTTP Artifact binding is used," especially in light of the note
>> on lines 389--390.  I believe a HoK assertion MUST be signed,
>> regardless of how it is obtained.
> Why do you believe this?  To enable secure forwarding or re-use of
> assertions, or ensure better auditing and repudiation?  I'd like to leave
> Artifact using TLS/SSL authentication as a viable option to allow for use of
> this profile under heavy loads without serious hardware if the deployer
> doesn't need to recycle or pass along the assertions.

Yes, I think you and Scott are right about this, I need to remove this
requirement from the "HoK Subject Confirmation Profile" and leave this
to higher-level profiles.

>> - ... Hijacking the Binding attribute like this is
>> a bit of a kludge.  Why not define new endpoints just for this
>> purpose?  Yes, I know you say (on line 494) that you'd rather not do
>> that, but why not?  That seems like the proper approach to me.
> See your response to yourself. :D  This seems like the least ugly approach,
> and yes, they're all awful.

Well, an alternate approach would be to define a new RoleDescriptorType:

<complexType name="HoKIDPSSODescriptorType">
    <extension base="md:IDPSSODescriptorType"/>

I think it's cleaner to do it this way.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]