>>>>> "Cantor," == Cantor, Scott E <[email protected]> writes:
>> Right. I don't think we can do this and build an interoperable
>> secure standard. I think that the question about whether an RP
>> that trusts the IDP should rely on the attribute or not needs to
>> be answered in-band.
Cantor,> But by that measure, LDAP isn't an interoperable secure
Cantor,> standard either.
I'm not sure I see what you're getting at.
I'd certainly expect a schema or derictory organization to indicate if
information was being stored in the directory that the directory
itself was not vouching for.
Actually we have been somewhat explicit about some of this.
For example, in the case of NSS (ldap nis etc) we've at least implicitly
said that a client can trust account information from a directory.
However in the case of PKI-related attributes we've not made this trust
assumption. If I find a certificate in a directory I'm still expected
to perform cert validation according to the PKIX specs.
We're explicitly saying with draft-ietf-saml-aaa that a RP SHOULD trust
the information and not perform validation for the authentication
response. We need to do that in order to get interoperability. Once
we've done that, we need to make it clear when that doesn't hold.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
