security-services message

Subject: RE: [security-services] Drafts for review: Kerberos & SAML profiles

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Josh Howlett'" <josh.howlett@gmail.com>
Date: Tue, 11 Aug 2009 09:56:38 -0400

Josh Howlett wrote on 2009-08-11:
>>> That's an interesting idea. It certainly seems simpler than grafting
>>> Kerberos onto the HoK AP. Are there are any reasons why we would not
>>> want to do this?
>> 
>> I think it relates more than anything else to the WSS SAML token profile,
>> and given that I think that document probably needs to be revisited
>> anyway,  I'm not sure I care at this point.
> 
> You've lost me... How does this relate to the WSS SAML token profile?

The WSS profile, last I read it, sort of bakes in an awareness of a pair of
confirmation methods, HoK and sender-vouches (the latter being essentially
meaningless). It's not clear to me whether you can actually use other
methods and still follow the profile.

-- Scott

Follow-Ups:
- Re: [security-services] Drafts for review: Kerberos & SAML profiles
  - From: Josh Howlett <josh.howlett@gmail.com>

References:
- Re: [security-services] Drafts for review: Kerberos & SAML profiles
  - From: Josh Howlett <josh.howlett@gmail.com>
- Re: [security-services] Drafts for review: Kerberos & SAML profiles
  - From: Josh Howlett <josh.howlett@gmail.com>