El 03/11/11 15:30, Cantor, Scott escribió: > On 11/3/11 9:19 AM, "Gabriel López" <[email protected]> wrote: >> yes, I was thinking in the size of the SAML assertion and the limit of >> 4096 bytes commented by Alejandro in the last email. The XMLSignature >> would increase considerably the message size. > The only dramatic size increase comes from putting the certificate in the > message. If you don't do that (as in, you don't use PKIX), then it isn't > really that large. > >>> This makes sense (kind of like Kerberos constrained delegation where the >>> authorisation data is signed). But it could be optional? >> not sure about that > Not optional in the sense that it would be used as if it were signed, just > optional meaning not all assertions would have that capability. As in fact > they wouldn't. You can't just sign the assertion and magically treat it as > a reusable token. Well, you can, but those people are ignoring the > standard. Other content is also needed or you have a very lax model. Well, I'm thinking about the Federated Cross-Layer Access use case. Network access authentication could provide RADIUS server with a SAML assertion, then application service could obtain this assertion (directly from the AAA server or through the end user) and take an access control decision based on that. Protecting the SAML assertion in a correct way would not derive in a lax model. Of course, I agree, it doesn't follow any current SAML specification.
Anyway, this topic will require a new thread. Thanks Scott for you comments. > > -- Scott > -- ---------------------------------------------------------------- Gabriel Lpez Milln Departamento de Ingeniera de la Informacin y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
