OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Shibboleth and credential negotiation


> I too work on Shibboleth.  Sorry to not have responded earlier.

Better late than never!  I think Shibboleth is an exciting project.  Whish I could join...

> We are still trying to figure out what we are going to do in
> Shibboleth.

> What is likely is that we will have "canned" sets of
> well-known attributes.  And that we'll have a means
> of extensibility.

If applied to A2ML that would be in the form of a "Shibboleth partner" XML schema definition?

> We are arguing whether or not there is the possibility
> of a target site "asking" for what it wants.  The two
> extremes cases are: (1) the target always asks for what it
> wants from an attribute authority; (2)the set of attributes
> to be sent is pre-configured (at the source) on a "per site"
> basis and no asking is needed or permitted. 

I don't consider this as two extremes, I would rather characterize this
as the *only* two possibilities, where (2) represent the current
A2ML solution.  If there really is a *third* option what would that
look like?

A side-effect of (1) is that the target is autenticated before the source, gives
IMO a much better control over the situation ("genuine" target or not?) and is
a pre-condition for any serious information disclosure user options.


> I hope this helps.

It was very interesting to read, now I just wonder how this TC will treat this.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC