OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Trust in artifact resolution

Josh Howlett wrote on 2010-02-11:
>> Yes, but it wouldn't prove that you got either one from somebody you
>> trusted and not some arbitrary interloper.
> 
> Sure, but we can authenticate the binding used to obtain the artifact
> to obtain that assurance.

How? The artifact is passed through the client, so there's no way for the
message's intended recipient to authenticate it from the message/artifact
issuer.

>  I originally thought there was a violation because I got badly
> confused. Where is the violation now? The callback does not require
> authentication...?

The profile says the SAML responder MUST authenticate itself to the SAML
requester, doesn't it?
 
-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]