On Fri, Dec 9, 2011 at 2:43 PM, Sam Hartman <[email protected]> wrote: > I think it is fairly likely that the IDP and RP will have the software > to do normal SAML things, but in some of the deployments we're looking > at will not have the provisioning (keys, metadata etc) to do SAML over > HTTP.
And I wouldn't want to encourage reliance on the HTTPS PKI. However, what could be done is that an attribute with a URI could also have a digest of the thing to be fetched via HTTP, and maybe a digest of the server cert or an intermediate CA for it (or perhaps a key that the actual attribute payload will be encrypted in, that way we can use plain HTTP). But this starts sounding hairy. > Also, I actually think there will be intermediates that will want to > rewrite attributes. I imagine so. I can see several reasons: 1) to rewrite attributes understood by one side into attributes understood by the other, 2) to apply privacy policies. (2) might be common in a deployment with a common, trusted trust broker, so to speak. Nico -- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
