Sent from my iPad
On 11 dec. 2011, at 18:43, "DIEGO LOPEZ GARCIA" <[email protected]> wrote: > > On 11 Dec 2011, at 12:09 , Leif Johansson wrote: >> 9 dec 2011 kl. 21:50 skrev Nico Williams <[email protected]>: >>> However, what could be done is that an attribute with a URI could also >>> have a digest of the thing to be fetched via HTTP, and maybe a digest >>> of the server cert or an intermediate CA for it (or perhaps a key that >>> the actual attribute payload will be encrypted in, that way we can use >>> plain HTTP). But this starts sounding hairy. >>> >> >> Drop the cert bits and you're essentially describing the way openid connect >> uses a resource token (oauth) to de-reference attributes. > > But in OpenID Connect the token is used to get access to the attributes, not > for establishing trust beetwen the RP (the client in OpenID parlance) and the > attribute source. As Alan stated, going this way you cannot get rid of the > need for two parallel trust infrastructures, and I think that is the > essential argument for transfrerring the SAML data inside RADIUS. Yeah, I guess that makes sense, thanks for indulging.... Klaas > > Be goode, > > -- > "Esta vez no fallaremos, Doctor Infierno" > > Dr Diego R. Lopez > Telefonica I+D > > e-mail: [email protected] > Tel: +34 913 129 041 > Mobile: +34 682 051 091 > ----------------------------------------- > > > Este mensaje se dirige exclusivamente a su destinatario. Puede consultar > nuestra política de envío y recepción de correo electrónico en el enlace > situado más abajo. > This message is intended exclusively for its addressee. We only send and > receive email on the basis of the terms set out at. > http://www.tid.es/ES/PAGINAS/disclaimer.aspx > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
