OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Metadata IOP & the front-channel bindings

Section 2.2 of Metadata Interoperability Profile reads:

"This profile [...] requires that metadata be usable as a self- 
contained vehicle for communicating trust such that a user of a  
conforming implementation can be guaranteed that any and all rules for  
processing digital signatures, encrypted XML, and transport layer  
cryptography (e.g. TLS/SSL [RFC4346]) can be derived from the metadata  
alone, with no additional trust requirements imposed."

I'm curious how the IOP addresses the confidentiality and integrity  
requirement of the front-channel bindings (c.f. "Security and Privacy  
Considerations") from the 'metadata alone'.

It seems to me that the credentials bound to end-point such as the ACS  
(and trust anchors stored in the user's browser)  are "additional  
trust requirement[s]"?

I suspect that I'm interpreting the quoted extract too broadly (ie.  
this spec is scoped to metadata consumers/publishers, and trust  
interactions between other actors are out-of-scope), but a  
clarification would be very welcome!

best regards, josh.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]