OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance

> Do you have any recommendations for things we ought to consider in making
> this decision?

Personally, I would favor (1) when possible and (2) as an alternative. But I really don't have the time to get into that level of advice here and I'm sure a hundred people would have a hundred different opinions about it.

> In the eGov Profile that you mentioned to me earlier, why is the Identity
> Provider Discovery Profile required? Maybe I am not understanding the use
> cases of it, but I would think that for most B-to-B applications, the
> Service Provider and the Identity Provider know who each other are. Is this
> correct, or am I not understanding the use cases associated with the
> Identity Provider Discovery Profile?

True federation to me means there are multiple IdPs. Supporting a single IdP is just externalizing authentication. A whole lot of issues are radically simpler when users from multiple IdPs aren't interacting with the same set of resources.

> In the eGov profile you referred me to, when encryption is required, what
> are the algorithms and strengths that are recommended?

There are no standards bodies that seem willing to take on updating, let alone maintaining, conformance critera for that. De facto it's up to the XML Encryption specification because that's what implementers are subject to. I'm sure governments among others will try and impose their own criteria, but at the end of the day it's up to the crypto libraries, not SAML.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]