On 11 Dec 2011, at 12:09 , Leif Johansson wrote: > 9 dec 2011 kl. 21:50 skrev Nico Williams <[email protected]>: >> However, what could be done is that an attribute with a URI could also >> have a digest of the thing to be fetched via HTTP, and maybe a digest >> of the server cert or an intermediate CA for it (or perhaps a key that >> the actual attribute payload will be encrypted in, that way we can use >> plain HTTP). But this starts sounding hairy. >> > > Drop the cert bits and you're essentially describing the way openid connect > uses a resource token (oauth) to de-reference attributes.
But in OpenID Connect the token is used to get access to the attributes, not for establishing trust beetwen the RP (the client in OpenID parlance) and the attribute source. As Alan stated, going this way you cannot get rid of the need for two parallel trust infrastructures, and I think that is the essential argument for transfrerring the SAML data inside RADIUS. Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D e-mail: [email protected] Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------------- Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at. http://www.tid.es/ES/PAGINAS/disclaimer.aspx _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
