[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Re: comments re draft-sstc-metadata-iop-02
> Are you referring to Holder-of-Key Web Browser SSO? Yes. > That profile is > clearly and correctly characterized as an adjunct to Web Browser SSO, > so there is no mistaking its scope and intent. It's still much more of a niche profile than this one is, but I'm not arguing that it needs to be characterized differently. > The Metadata > Interoperability Profile (IOP) is not so easily categorized, however. > The IOP does not characterize itself as being applicable to a > particular use case or community, so by default it must be applicable > to everyone. Therein lies my objection. It *is* applicable to everyone. There is absolutely no reason why the TeraGrid, or any other user of SAML metadata, can't use it. It is quite usable with all the SAML profiles I know of that rely on metadata, and it works perfectly well for communities that insist on using PKI all over the place. It just doesn't expose the other communities they might want to federate with to that PKI, which is a big reason for doing it this way. That doesn't mean everyone has to use it, but that's true of every SAML profile. > I think that's a laudable goal, and I support it. However, I claim > that the profile as written does not identify the communities to which > it applies. It would be impossible to do so, since it can in fact apply to just about anybody. Showing that some communities do different things doesn't speak to whether they could (at a purely technical level) do something else if they chose to. > I would rather not leave that interpretation as an > exercise to the reader. What I'm trying to avoid is the following > thought pattern on the part of the reader: "Community A makes use of > SAML metadata but that usage does not conform to IOP so Community A > metadata is not an interoperable use of SAML metadata." That's a different issue. I actually happen to believe that that's true as it stands today. But I'm satisfied to leave that out of the text (which I have, apart from the title). > AFAICT, the IOP appears to be a profile designed to accompany SAML Web > Browser SSO. Certainly that is the historical basis for its existence. No, not really. Perhaps because that's the historical basis for SAML's own existence. > So why not characterize it as such? Is what you've > written a SAML V2.0 Metadata Interoperability Profile for Web Browser > SSO? There's nothing in it that has any dependency on the profile(s) being implemented. It is exactly what the title says...*a* profile for metadata interoperability (as opposed to the "only" profile for that, though it's the only one I've ever seen). Anyway, at this particular moment, I haven't come up with any good alternate names that don't sound awkward, so rather than waste my time on it, I'll leave the floor open. But I would object to something with "higher ed" in it, because this isn't specific to one community. The title should reflect some technical aspect of the profile. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]