9 dec 2011 kl. 21:50 skrev Nico Williams <[email protected]>:
> On Fri, Dec 9, 2011 at 2:43 PM, Sam Hartman
> <[email protected]> wrote:
>> I think it is fairly likely that the IDP and RP will have the software
>> to do normal SAML things, but in some of the deployments we're looking
>> at will not have the provisioning (keys, metadata etc) to do SAML over
>> HTTP.
>
> And I wouldn't want to encourage reliance on the HTTPS PKI.
>
> However, what could be done is that an attribute with a URI could also
> have a digest of the thing to be fetched via HTTP, and maybe a digest
> of the server cert or an intermediate CA for it (or perhaps a key that
> the actual attribute payload will be encrypted in, that way we can use
> plain HTTP). But this starts sounding hairy.
>
Drop the cert bits and you're essentially describing the way openid connect
uses a resource token (oauth) to de-reference attributes.
>> Also, I actually think there will be intermediates that will want to
>> rewrite attributes.
>
> I imagine so. I can see several reasons: 1) to rewrite attributes
> understood by one side into attributes understood by the other, 2) to
> apply privacy policies. (2) might be common in a deployment with a
> common, trusted trust broker, so to speak.
>
> Nico
> --
> _______________________________________________
> abfab mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
