OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Re: comments re draft-sstc-metadata-iop-02

On Wed, Oct 22, 2008 at 9:25 PM, Scott Cantor <cantor.2@osu.edu> wrote:
> Tom Scavo wrote:
>> In fact, this
>> alternate use of SAML metadata is the reason I referred to the
>> Metadata Interoperability Profile as a "deployment profile" as opposed
>> to some universally applicable profile.
> Leaving aside whether this distinction even matters, no profile is
> universal. How many people are going to use a certificate-based profile for
> SSO any time soon? That doesn't make it a community-specific profile, just a
> relatively less adopted one.

Are you referring to Holder-of-Key Web Browser SSO?  That profile is
clearly and correctly characterized as an adjunct to Web Browser SSO,
so there is no mistaking its scope and intent.  The Metadata
Interoperability Profile (IOP) is not so easily categorized, however.
The IOP does not characterize itself as being applicable to a
particular use case or community, so by default it must be applicable
to everyone.  Therein lies my objection.

> The issue to me is whether a profile imposes constraints or assumptions that
> would make it unrealistic to adopt across a broad range of communities. My
> goal here is not to convince those communities to do so, however misguided I
> may think they are. I'm just interested in giving the TC member companies a
> better opportunity to provide products that meet the needs of a number of
> communities they aren't serving very well right now.

I think that's a laudable goal, and I support it.  However, I claim
that the profile as written does not identify the communities to which
it applies.  I would rather not leave that interpretation as an
exercise to the reader.  What I'm trying to avoid is the following
thought pattern on the part of the reader: "Community A makes use of
SAML metadata but that usage does not conform to IOP so Community A
metadata is not an interoperable use of SAML metadata."

AFAICT, the IOP appears to be a profile designed to accompany SAML Web
Browser SSO.  Certainly that is the historical basis for its
existence.  So why not characterize it as such?  Is what you've
written a SAML V2.0 Metadata Interoperability Profile for Web Browser


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]